colortoolsv2 and mimelib2 that used Ethereum smart contracts for malware delivery in July. But not much effort was put into making those packages look legitimate and attractive for developers to include in their projects, which is usually the goal of supply chain attacks with rogue npm packages.The colortoolsv2 package, and the mimelib2 one that later replaced it, contained only the files needed to implement the malicious functionality. As the researchers later found, this was because they were part of a larger coordinated campaign, the focus of which was to trick users into running code from fake GitHub repositories that would then download the npm packages automatically as dependencies.The rogue GitHub repositories claimed to be for automated cryptocurrency trading bots and were crafted to look legitimate. They appeared to have multiple active contributors, thousands of code commits, and multiple stars, but these were all faked with sockpuppet accounts created around the same time as the npm packages popped up.”When we dug into the large number of commits and what was committed, it quickly became apparent that the code contributors were also fakes and that the actual number of commits had been inflated,” the researchers found. “In fact, there are thousands of commits and each day that number increases by a couple of thousand, indicating that the malicious actor has set up an infrastructure for automated commit pushing.”Most commits involved deleting and adding the project’s LICENSE file. The few legitimate commits were changes to download and execute the rogue npm packages as dependencies when the repository code was executed.The npm packages contained code that connects to the Ethereum blockchain, which is not unusual for a supposed cryptocurrency library. However, the code does so to obtain URLs stored in Ethereum smart contracts, that are then accessed to download malware payloads. Ethereum smart contracts are essentially small programs hosted on the blockchain that automatically execute when certain conditions are met.”As this campaign shows: it is critical for developers to assess each library they are considering implementing before deciding to include it in their development cycle,” the researchers said. “And that means pulling back the covers on both open-source packages and their maintainers: looking beyond raw numbers of maintainers, commits and downloads to assess whether a given package, and the developers behind it, are what they present themselves as.”Even though the rogue npm packages and at least one GitHub repository associated with this campaign, solana-trading-bot-v2, were removed, the attackers are experienced and will likely set up new ones.Cryptocurrency-related app developers have become a frequent target for software supply chain attacks via open-source package repositories. Last year, ReversingLabs detected 32 attack campaigns that involved malicious code uploaded to open-source repositories that target crypto-related developers and users.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4050956/malicious-npm-packages-use-ethereum-blockchain-for-malware-delivery.html
