Malware Campaign Uses Ethereum Smart Contracts to Control npm Typosquat Packages

An ongoing campaign is targeting npm developers with hundreds of typosquat versions of their legitimate counterparts in an attempt to trick them into running cross-platform malware.

The attack is notable for utilizing Ethereum smart contracts for command-and-control (C2) server address distribution, according to independent findings from Checkmarx, Phylum, and Socket published over the past few days.

The activity was first flagged on October 31, 2024, although it’s said to have been underway at least a week prior. No less than 287 typosquat packages have been published to the npm package registry.

“As this campaign began to unfold in earnest, it became clear that this attacker was in the early stages of a typosquat campaign targeting developers intending to use the popular Puppeteer, Bignum.js, and various cryptocurrency libraries,” Phylum said.

The packages contain obfuscated JavaScript that’s executed during (or post) the installation process, ultimately leading to the retrieval of a next-stage binary from a remote server based on the operating system.

The binary, for its part, establishes persistence and exfiltrates sensitive information related to the compromised machine back to the same server.

But in an interesting twist, the JavaScript code interacts with an Ethereum smart contract using the ethers.js library to fetch the IP address. It’s worth mentioning here that a campaign dubbed EtherHiding leveraged a similar tactic by using Binance’s Smart Chain (BSC) contracts to move to the next phase of the attack chain.

The decentralized nature of blockchain means it’s harder to block the campaign as the IP addresses served by the contract can be updated over time by the threat actor, thereby allowing the malware to seamlessly connect to new IP addresses as older ones are blocked or taken down.

“By using the blockchain in this way, the attackers gain two key advantages: their infrastructure becomes virtually impossible to take down due to the blockchain’s immutable nature, and the decentralized architecture makes it extremely difficult to block these communications,” Checkmarx researcher Yehuda Gelb said.

It’s currently not clear who is behind the campaign, although the Socket Threat Research Team said it identified error messages written in Russian for exception handling and logging purposes, suggesting that the threat actor could be a Russian speaker.

The development once again demonstrates the novel ways attackers are poisoning the open-source ecosystem, necessitating that developers be vigilant when downloading packages from software repositories.

“The use of blockchain technology for C2 infrastructure represents a different approach to supply chain attacks in the npm ecosystem, making the attack infrastructure more resilient to takedown attempts while complicating detection efforts,” Gelb said.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.