An ongoing campaign is targeting npm developers with hundreds of typosquat versions of their legitimate counterparts in an attempt to force them to run cross-platform malware.
According to independent findings, the attack is characterized by the use of Ethereum smart contracts to distribute the addresses of command and control (C2) servers. Checkmarx, Typeand Socket published in the last few days.
This activity was first noted on October 31, 2024, although it is said to have occurred at least a week ago. At least 287 typosquat packages have been published in the npm package registry.
“As this campaign began to take off in earnest, it became clear that this attacker was in the early stages of a typosquat campaign targeting developers intending to use the popular Puppeteer, Bignum.js, and various cryptocurrency libraries,” Fillum said.
The packages contain obfuscated JavaScript code that is executed during (or after) the installation process, which ultimately results in the retrieval of the next stage binary from a remote operating system-based server.
The binary, for its part, provides resilience and removes sensitive information associated with the compromised machine back to the same server.
But in an interesting twist, the JavaScript code interacts with the Ethereum smart contract using the ethers.js library to obtain the IP address. It should be noted here that the company is duplicated EtherHiding used a similar tactic, using Binance Smart Chain (BSC) contracts to advance to the next stage of the attack chain.
Blockchain’s decentralized nature means it’s harder to block a company, as the IP addresses served by the contract can be updated by threat actors over time, allowing malware to seamlessly connect to new IP addresses when old ones are blocked or removed.
“Using the blockchain in this way gives attackers two key advantages: their infrastructure becomes nearly impossible to destroy due to the immutable nature of the blockchain, and the decentralized architecture makes it extremely difficult to block these communications,” said Checkmarx researcher Yehuda Gelb. .
It is currently unclear who is behind the campaign, although Socket’s threat research team said it found error messages written in Russian for exception handling and logging, suggesting the threat actor may have been Russian-speaking.
The development once again demonstrates new ways attackers are poisoning the open source ecosystem, requiring developers to be vigilant when downloading packages from software repositories.
“The use of blockchain technology for the C2 infrastructure presents a different approach to supply chain attacks in the npm ecosystem, making the attack infrastructure more resistant to dismantling attempts while making detection efforts more difficult,” Gelb said.
