Attackers behind a recent supply chain attack that involved rogue GitHub repositories and npm packages used smart contracts on the Ethereum blockchain to deliver malware payloads. The attacks likely targeted users and developers from the cryptocurrency space.
“These latest attacks by threat actors, including the creation of sophisticated attacks using blockchain and GitHub, show that attacks on repositories are evolving and that developers and development organizations alike need to be on the lookout for efforts to implant malicious code in legitimate applications, gain access to sensitive development assets and steal sensitive data and digital assets,” researchers from ReversingLabs wrote in their report on the attack.
The use of Ethereum smart contracts to hide the URL for the secondary malware payload was likely done to evade security tools that scan npm packages for suspicious URLs and commands.
Npm as obfuscation layer for GitHub campaign
The ReversingLabs researchers discovered two rogue npm packages called colortoolsv2 and mimelib2 that used Ethereum smart contracts for malware delivery in July. But not much effort was put into making those packages look legitimate and attractive for developers to include in their projects, which is usually the goal of supply chain attacks with rogue npm packages.
The colortoolsv2 package — and the mimelib2 one that later replaced it — contained only the files needed to implement the malicious functionality. As the researchers later found, this was because they were part of a larger coordinated campaign, the focus of which was to trick users into running code from fake GitHub repositories that would then download the npm packages automatically as dependencies.
The rogue GitHub repositories claimed to be for automated cryptocurrency trading bots and were crafted to look legitimate. They appeared to have multiple active contributors, thousands of code commits, and multiple stars, but these were all faked with sockpuppet accounts created around the same time as the npm packages popped up.
“When we dug into the large number of commits and what was committed, it quickly became apparent that the code contributors were also fakes and that the actual number of commits had been inflated,” the researchers found. “In fact, there are thousands of commits and each day that number increases by a couple of thousand, indicating that the malicious actor has set up an infrastructure for automated commit pushing.”
Most commits involved deleting and adding the project’s LICENSE file. The few legitimate commits were changes to download and execute the rogue npm packages as dependencies when the repository code was executed.
The npm packages contained code that connects to the Ethereum blockchain, which is not unusual for a supposed cryptocurrency library. However, the code does so to obtain URLs stored in Ethereum smart contracts, that are then accessed to download malware payloads. Ethereum smart contracts are essentially small programs hosted on the blockchain that automatically execute when certain conditions are met.
“As this campaign shows: it is critical for developers to assess each library they are considering implementing before deciding to include it in their development cycle,” the researchers said. “And that means pulling back the covers on both open-source packages and their maintainers: looking beyond raw numbers of maintainers, commits and downloads to assess whether a given package — and the developers behind it — are what they present themselves as.”
Even though the rogue npm packages and at least one GitHub repository associated with this campaign — solana-trading-bot-v2 — were removed, the attackers are experienced and will likely set up new ones.
Cryptocurrency-related app developers have become a frequent target for software supply chain attacks via open-source package repositories. Last year, ReversingLabs detected 32 attack campaigns that involved malicious code uploaded to open-source repositories that target crypto-related developers and users.
No Responses