{"id":4655,"date":"2025-09-03T21:03:26","date_gmt":"2025-09-03T21:03:26","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4655"},"modified":"2025-09-03T21:03:26","modified_gmt":"2025-09-03T21:03:26","slug":"malicious-npm-packages-use-ethereum-blockchain-for-malware-delivery","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4655","title":{"rendered":"Malicious npm packages use Ethereum blockchain for malware delivery"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Attackers behind a recent supply chain attack that involved rogue GitHub repositories and npm packages used smart contracts on the Ethereum blockchain to deliver malware payloads. The attacks likely targeted users and developers from the cryptocurrency space.<\/p>\n<p>\u201cThese latest attacks by threat actors, including the creation of sophisticated attacks using blockchain and GitHub, show that attacks on repositories are evolving and that developers and development organizations alike need to be on the lookout for efforts to implant malicious code in legitimate applications, gain access to sensitive development assets and steal sensitive data and digital assets,\u201d researchers from ReversingLabs wrote in their <a href=\"https:\/\/www.reversinglabs.com\/blog\/ethereum-contracts-malicious-code\">report on the attack<\/a>.<\/p>\n<p>The use of Ethereum smart contracts to hide the URL for the secondary malware payload was likely done to evade security tools that scan npm packages for suspicious URLs and commands.<\/p>\n<h2 class=\"wp-block-heading\">Npm as obfuscation layer for GitHub campaign<\/h2>\n<p>The ReversingLabs researchers discovered two rogue npm packages called colortoolsv2 and mimelib2 that used Ethereum smart contracts for malware delivery in July. But not much effort was put into making those packages look legitimate and attractive for developers to include in their projects, which is usually the goal of supply chain attacks with rogue npm packages.<\/p>\n<p>The colortoolsv2 package \u2014 and the mimelib2 one that later replaced it \u2014 contained only the files needed to implement the malicious functionality. As the researchers later found, this was because they were part of a larger coordinated campaign, the focus of which was to trick users into running code from fake GitHub repositories that would then download the npm packages automatically as dependencies.<\/p>\n<p>The rogue GitHub repositories claimed to be for automated cryptocurrency trading bots and were crafted to look legitimate. They appeared to have multiple active contributors, thousands of code commits, and multiple stars, but these were all faked with sockpuppet accounts created around the same time as the npm packages popped up.<\/p>\n<p>\u201cWhen we dug into the large number of commits and what was committed, it quickly became apparent that the code contributors were also fakes and that the actual number of commits had been inflated,\u201d the researchers found. \u201cIn fact, there are thousands of commits and each day that number increases by a couple of thousand, indicating that the malicious actor has set up an infrastructure for automated commit pushing.\u201d<\/p>\n<p>Most commits involved deleting and adding the project\u2019s LICENSE file. The few legitimate commits were changes to download and execute the rogue npm packages as dependencies when the repository code was executed.<\/p>\n<p>The npm packages contained code that connects to the Ethereum blockchain, which is not unusual for a supposed cryptocurrency library. However, the code does so to obtain URLs stored in Ethereum smart contracts, that are then accessed to download malware payloads. Ethereum smart contracts are essentially small programs hosted on the blockchain that automatically execute when certain conditions are met.<\/p>\n<p>\u201cAs this campaign shows: it is critical for developers to assess each library they are considering implementing before deciding to include it in their development cycle,\u201d the researchers said. \u201cAnd that means pulling back the covers on both open-source packages and their maintainers: looking beyond raw numbers of maintainers, commits and downloads to assess whether a given package \u2014 and the developers behind it \u2014 are what they present themselves as.\u201d<\/p>\n<p>Even though the rogue npm packages and at least one GitHub repository associated with this campaign \u2014 solana-trading-bot-v2 \u2014 were removed, the attackers are experienced and will likely set up new ones.<\/p>\n<p>Cryptocurrency-related app developers have become a frequent target for software supply chain attacks via open-source package repositories. Last year, ReversingLabs detected 32 attack campaigns that involved malicious code uploaded to open-source repositories that target crypto-related developers and users.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Attackers behind a recent supply chain attack that involved rogue GitHub repositories and npm packages used smart contracts on the Ethereum blockchain to deliver malware payloads. The attacks likely targeted users and developers from the cryptocurrency space. \u201cThese latest attacks by threat actors, including the creation of sophisticated attacks using blockchain and GitHub, show that [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":4656,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4655","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4655"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4655"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4655\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4656"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4655"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4655"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4655"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}