Software security firm ReversingLabs has identified two open-source code packages that use Ethereum smart contracts to download malware. It forms part of a “sophisticated campaign” of malicious actors attempting to hack users via poisoned blockchain-related public code libraries — a vector of attack Binance has previously linked to North Korean hackers.
The two Node Package Manager (NPM) libraries, or packages, called colortoolsv2 and mimelib2, were effectively identical in that they contained two files, one of which would run a script that downloads the second half of the malware attack via an Ethereum smart contract. NPM packages are collections of reusable, open-source code that developers will frequently use.
Lucija Valentić, Software threat researcher at ReversingLabs, wrote that the use of smart contracts was “something we haven’t seen previously.”
“‘Downloaders’ that retrieve late-stage malware are being published to the npm repository weekly — if not daily,” she said. “What is new and different is the use of Ethereum smart contracts to host the URLs where malicious commands are located, downloading the second-stage malware.”
These two packages were just the tip of the iceberg, as ReversingLabs found a larger campaign of poisoned packages across GitHub. The security firm discovered a network of GitHub repositories that were connected to the aforementioned malicious package colortoolsv2. Most of the network was branded as crypto trading bots or token sniping tools.
BNB Whale Drained of $13.5M in DPRK-Linked Phishing Attack
“Even though the NPM package wasn’t very sophisticated, there was much more work put into making the repositories holding the malicious package look trustworthy,” Valentić said.
She explained in the report that some repositories had thousands of commits, a good number of stars, and a couple of contributors, which could lead a developer to trust it. But ReversingLabs believes that most of this activity was faked by the attackers.
