A sophisticated supply chain attack targeting the NPM repository has been uncovered by security researchers from Checkmarx, Phylum, and Socket, revealing an innovative approach that combines typosquatting techniques with Ethereum smart contracts for malware distribution and command-and-control infrastructure concealment.
Attack Campaign Overview and Scope
The campaign, which began on October 31, 2024, has deployed over 287 malicious packages to the NPM repository. Threat actors implemented a typosquatting strategy, creating packages with names closely resembling popular cryptocurrency libraries, Puppeteer, and Bignum.js, specifically targeting the developer community.
Technical Analysis of the Malicious Code
Upon installation, the compromised packages execute obfuscated JavaScript code that downloads a malicious binary from a remote server. This payload performs comprehensive system reconnaissance, collecting sensitive information including GPU specifications, CPU details, memory capacity, username, and operating system version.
Blockchain-Based Command and Control Infrastructure
What sets this campaign apart is its innovative use of Ethereum smart contracts for command-and-control server address distribution. The malware leverages the ethers.js library to interact with the blockchain network, retrieving current C2 server IP addresses. This sophisticated approach makes traditional infrastructure blocking methods significantly less effective, as control server addresses can be dynamically updated through blockchain transactions.
Attribution and Historical Context
Researchers from the Socket Threat Research Team identified Russian language error messages within the code, suggesting possible attribution to Russian-speaking threat actors. This technique mirrors the 2023 EtherHiding campaign, which utilized Binance Smart Chain contracts for similar purposes, indicating an evolving trend in malware development.
This attack represents a significant evolution in supply chain threats, demonstrating how threat actors are leveraging blockchain technology to enhance malware resilience and evade detection. Security professionals recommend implementing strict package verification processes, utilizing automated security scanning tools for NPM dependencies, and maintaining up-to-date software supply chain security practices. Organizations should also consider implementing runtime application self-protection (RASP) solutions and container security measures to mitigate similar threats.
