Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Research
Security News
Kirill Boychenko
November 19, 2024
In October 2024, Socket discovered a widespread npm malware campaign using Ethereum smart contracts to evade detection and maintain control over infected systems. Building on our initial research and equipped with analyses of the malicious packages, we tracked down the adversarial tactics, techniques, and procedures (TTPs) behind this attack.
Now we can answer a series of questions which arose from the initial discovery, and that can help enhance defenses of the open source software community, particularly developers and organizations that rely on open source packages. We identified that the threat actor behind the malicious campaign we discovered was looking to build a blockchain-powered botnet. The adversarial playbook for this attack was orchestrated by “_lain”, a Russian-speaking threat actor, who shared their know-how in September and October 2024 within the underground forum XSS, posting detailed guides and code demonstrating how to exploit the npm ecosystem through typosquatting, postinstall
scripts, and ultimately build a resilient, cross-platform botnet using Ethereum smart contracts for decentralized command and control (C2) mechanism.
By exploiting typosquatting and the abuse of postinstall
scripts in npm packages, the botnet infiltrated developers’ systems, posing significant risks to software supply chain security. Threat actor use of blockchain technology as a C2 mechanism represents a novel and concerning evolution in software supply chain attacks. The botnet’s cross-platform capabilities and obfuscation techniques amplified the attack and made detection challenging, highlighting vulnerabilities within the npm ecosystem. With 280 malicious packages downloaded more than 26,000 times, the potential impact on developers and organizations is profound.
Many of these packages had names similar to popular ones to trick developers into installing them – a classic typosquatting move. Once installed, the malicious postinstall
scripts would execute and turn the infected system into part of the botnet. _lain’s botnet, known as “MisakaNetwork”, primarily targeted software developers, especially those working on cryptocurrency-related projects.
On October 31, 2024, we published our findings from the investigation into an advanced npm supply chain attack using Ethereum smart contracts for decentralized, persistent malware control, evading traditional defenses. Our colleagues in the field, Phylum, also identified this malicious campaign and published their research on October 31, 2024, and later Checkmarx published their analysis on November 4, 2024.
According to _lain’s guide, which the threat actor shared on the top-tier underground forum XSS, their botnet relies on the Ethereum blockchain to dynamically retrieve its C2 server address using a getString
method from a deployed Ethereum smart contract. This use of blockchain makes it harder to block, as decentralized networks are challenging to take down. The lack of IP addresses in the client code makes it stealthier and challenging for defenders to detect. In their September guide, _lain described this novel C2 mechanism that we discovered being deployed en masse at the end of October and into November 2024.
The code implements a fetchAndUpdateIp()
function to continuously fetch the C2 address from the Ethereum smart contract, enabling dynamic C2 changes without requiring client updates. The payload is executed using eval
, making it highly flexible but dangerous as any code can be run on the infected system.
Another feature of MisakaNetwork is that the botnet allows remote execution of JavaScript payloads on infected machines, with all functionality controlled server-side. By using Node.js and configuring it to run in the background, with graphical user interface (GUI) suppression, the botnet remains hidden from most users, increasing its persistence on infected systems.
MisakaNetwork botnet web interface and a login panel
_lain provided the code for setting up the botnet but warned other XSS forum members to change their Ethereum smart contract and the wallet address to the ones that threat actors control.
const contractAddress = "0xa1b40044ebc2794f207d45143bd82a1b86156c6b";
// Editor’s note: _lain’s Ethereum smart contract address that they ask other threat actors to change to their own contractconst WalletOwner = "0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84";
// Editor’s note: _lain’s Ethereum wallet address that they ask other threat actors to change to a wallet that they controlThese lines of code specify the Ethereum smart contract address and Ethereum wallet address the botnet client uses to retrieve the C2 server URL. This configuration allows the bot to dynamically query the C2 server address from the blockchain, providing a resilient and stealthy C2 mechanism. For creating Ethereum smart contracts, _lain suggested using remix.ethereum.org. Remix Ethereum is a web-based Integrated Development Environment (IDE) designed for developers to write, deploy, debug, and test smart contracts on the Ethereum blockchain.
We found this exact Ethereum smart contract address (0xa1b40044ebc2794f207d45143bd82a1b86156c6b
) and Ethereum wallet address (0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84
) used as a blockchain-enabled C2 deployed in the above-mentioned widespread campaign infiltrating the npm ecosystem with malware. If another threat actor used _lain’s code and kept the same Ethereum smart contract address and the wallet address, they would lose control over the smart contract and the ability to change C2 endpoints stored in the contract. Reusing the code as-is would also allow _lain to hijack the operations and gain full control over the infected systems – the bots.
Initially, _lain provided a detailed walk-through on how to build the botnet’s Node.js client as a Windows executable, making it portable and easier to run on infected Windows machines. In a later update to the XSS forum thread, on October 22, 2024, the threat actor announced that they upgraded MisakaNetwork, extending the botnet’s reach beyond Windows, and increasing the potential pool of victim machines.
ncc build -o build/lib index.js && \
pkg --target node18-win-x64 -o build/node-win.exe ./build/lib/index.js && \
pkg --target node18-linux-x64 -o build/node-linux ./build/lib/index.js && \
pkg --target node18-macos-x64 -o build/node-macos ./build/lib/index.js
By targeting multiple operating systems (Windows, Linux, and macOS), the threat actor made their botnet more versatile, scalable and adaptable to different operational needs, which also enhanced persistence and reach.
_lain’s post indicating infected bots – macOS on the left and Windows on the right
As part of the XSS thread, _lain shared several screenshots of the botnet panel’s functionality. Some of the screenshots showed system information of infected systems, as well as features to control the bots. The button Open Terminal (pictured in above screenshots) allows an attacker to issue commands and interact with each infected machine in real-time through a persistent session. This feature provides the ability to directly control compromised systems, upload/download files, and run scripts as needed. The botnet panel is designed to be a user-friendly GUI, allowing the attacker to become an efficient botnet operator (a.k.a. bot-herder), clicking through intuitive buttons designed within the web interface panel. The upload/download files functionality provides the bot-herder with the ability to deploy additional malware on demand, extending the botnet’s capabilities and potential impact. The impact can be devastating, as the attacker can facilitate any payload delivery and execution, be it ransomware, spyware, wiper, or any other malware.
Persistent sessions enable the operator to maintain continuity across commands without re-establishing the connection each time. This streamlines command execution and may reduce the likelihood of detection by reducing repeated connection attempts.
_lain notes that the runFile
command, responsible for executing downloaded files, only functions on Windows. Rather than rewriting the function for other platforms, _lain suggests using JavaScript code to download files. The threat actor has a pragmatic approach, going for rapid development and short release cycles over complete cross-platform compatibility. While the botnet has cross-platform support, _lain’s primary focus is on Windows systems, likely because the threat actor is more familiar with Windows or believes it to be the most common target environment.
_lain’s botnet capability to run arbitrary JavaScript code on infected systems
For persistence on Windows, the addToStartup()
function copies the bot executable to the startup folder, ensuring it runs each time the system starts. It allows the bot to survive reboots and maintain a continuous presence on the infected system. At the time of writing, the identified Windows executable node.exe
(SHA256: 63272cb5c9bbe9bdb6201b473845fc00ab3d3a6f3b0dba7d9806a25f0a8f147e) has 0 detections on VirusTotal but matches Sigma rules for indicators of hidden execution, persistence, and non-interactive PowerShell activity.
For persistence on macOS, the code writes a .plist
file to ~/Library/LaunchAgents/
, configuring it to load at startup. On Linux systems, it attempts to copy the malicious file to /opt
to ensure persistence across users but if /opt
is inaccessible (e.g. due to lack of superuser privileges), it defaults to ~/.local/bin
, a user-level directory often used for executable files when elevated permissions are not available. Designed persistence mechanisms for each operating system attempt to ensure that the bot persists across reboots, maintaining a foothold on infected systems.
In our previous blog post on this campaign, we noted the use of Russian language throughout the botnet malware. At the time, we suspected that the author of the malware was potentially a Russian-speaker, or, was using Russian language as a deliberate obfuscation tactic. In this follow-up analysis, we identified that the threat actor uses a tactic commonly seen in use by cybercriminals from the Commonwealth of Independent States (CIS) – the use of a regional check. The checkSystemLocale()
function in the botnet’s client code is responsible for checking whether the infected system language matches specific locations, such as Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Russia, Tajikistan, Ukraine, and Uzbekistan, designed to not execute on machines located in these countries. The governments and law enforcement bodies representing CIS nations often turn a blind eye to cybercriminal activity, so long as it does not target entities within these countries. This is especially the case for Russia.
const regionsCountry = [
"hy", "hy-AM", // Армения
"az", // Азербайджан
"be", "be-BY", // Беларусь
"kk", "kk-KZ", // Казахстан
"ky", "ky-KG", // Киргизия
"ru", "ru-BY", "ru-KZ", "ru-KG", "ru-MD", "ru-RU", "ru-UA", // Россия
"tg", // Таджикистан
"uk", "uk-UA", // Украина
"uz", // Узбекистан
];
_lain discussing JavaScript for obfuscation on XSS (translated from Russian to English)
When _lain says that JavaScript can be modified or obfuscated “countless ways”, they mean that their Node.js botnet allows them to use various techniques to make their code difficult to analyze and detect. The threat actor implies that continuous changes in obfuscation patterns will make static detection by antivirus solutions more difficult. Specifically, the threat actor is using the javascript-obfuscator
dependency in their code, making it difficult to read, analyze, or reverse-engineer. These measures show the adversary’s adaptive and innovative strategy focused on maximizing the botnet’s lifespan by evading detection. _lain designed the botnet as a highly flexible system that can be repurposed as needed, based on the commands issued by the central server.
According to _lain, despite some detection mechanisms in place, many of their trojanized packages avoided removal, indicating that the malicious components were sufficiently obfuscated to evade basic automated detection by the npm code registry. The threat actor admits that about half of their malicious packages were still flagged and removed.
The threat actor claimed that their malicious packages were used by developers working in cryptocurrency-related projects. This highlights the threat actor’s focus on targeting specific industries, such as cryptocurrency, where compromised systems could yield high-value data or infrastructure. Also, as a result of their malicious campaign, the threat actor claimed that they gained access to several systems, which they now use as “hosting infrastructure” for further attacks and nefarious activities or as part of their botnet.
_lain’s comments about software supply chain complexity (translated from Russian to English)
The threat actor points out an inherent npm ecosystem complexity, where packages often rely on numerous dependencies, creating a complex “nesting doll” structure. This dependency chain makes comprehensive security reviews challenging and opens opportunities for attackers to introduce malicious code. _lain admits to exploiting this complexity and dependency sprawl in npm ecosystems, knowing that it is impractical for developers to scrutinize every single package and dependency.
On October 23, 2024, _lain posted another guide on the XSS forum, with a title that can be translated from Russian as “Malicious npm packages or how to easily hack a developer, infiltrate their project, and more”.
Based on this guide, the threat actor’s TTPs for supply chain attacks within the npm ecosystem can be summarized in the following categories:
postinstall
script to execute malicious commands during installation, which could compromise the system without the user’s awareness_lain supplied the guide with a video demonstration and their code. Below is a more detailed analysis of the threat actor’s TTPs, tooling, methodology, and provided code.
The threat actor creates malicious packages with names that closely resemble legitimate, popular libraries. Instead of inventing minor name variations on their own, _lain automates the process using ChatGPT to save time and generate a large list of typo variants for 100 popular packages.
_lain illustrates the process of generating typo variants for popular npm packages
In the widespread npm malware campaign that we discovered in October, and which uses _lain’s playbook for attacking and infiltrating software supply chains, we found notable typosquats, such as pretierr
(typosquat for prettier
), neextjs
(targeting next
), and others.
Part of _lain’s guide is dedicated to describing a malicious technique that exploits the postinstall
script attribute in a Node.js package’s package.json
file to execute arbitrary code on the user’s system.
The package.json
file is a core metadata file for Node.js packages. It contains essential details about the package, such as its name, version, dependencies, and scripts. The scripts
field in package.json
defines custom commands that can be executed during specific lifecycle events of the package, such as installation, testing, or building. The postinstall
script runs automatically after the package has been downloaded and installed using the npm install
command. According to _lain, they use the postinstall
script to execute malicious code immediately after the package is installed.
"scripts": {
"postinstall": "node install-script.js"
}
_lain’s example of using the postinstall
script for infecting the target’s system
The install-script.js
file referenced in the script could contain malicious code that steals data, installs additional malware, or creates backdoors, and in _lain’s case it turns an infected system into a bot. Because this script runs with the same permissions as the user or process installing the package, it can perform unauthorized actions on the system as that user.
If a developer installs a typosquatted malicious package, the postinstall
script executes immediately, infecting the developer’s environment. The technique exploits the trust developers place in package managers like npm
, where scripts in package.json
are often taken at face value without scrutiny. Malicious actions are masked under the guise of a normal package installation lifecycle, reducing suspicion. Additionally, many developers use automated processes to install dependencies, giving threat actors like _lain a streamlined path to infect systems.
To automate their attack chain, _lain developed a script to generate malicious npm packages with obfuscated code that executes a series of malicious actions upon installation.
The threat actor includes the following functions designed for malicious intent:
generateRandomName
– creates a random name for the malicious package, making it harder to track as each generated package has a unique namecreateRandomLibrary
– generates the structure of a malicious package with a randomized name and key elements, including:package.json
file with a postinstall
script that executes install-script.js
immediately after the package is installed. This is where the malware begins its executioninstall-script.js
– generated with obfuscated JavaScript code to hide its malicious intent, making it harder for defenders to detect and analyze.The install-script.js
contains code to retrieve a URL from an Ethereum blockchain smart contract for establishing a C2 channel that we described earlier and also detected in October 2024 as part of the widespread campaign flooding the npm ecosystem with malware relying on the Ethereum smart contract C2 mechanism.
const contractAddress = "CONTRACT_ADDRESS";
const WalletOwner = "WALLET_ADDRESS";
_lain’s code in the script is the same as in their blockchain-powered botnet and the same as we identified in the malicious campaign which started in October 2024
Next, install-script.js
will download an executable file from the URL to the system’s temporary directory, and execute the downloaded file in the background, enabling persistent, unauthorized access to the compromised system.
Additionally, the install-script.js
file includes error messages in Russian, which are used in exception handling and logging. This code and error messages are exactly the same as we uncovered in a widespread malware campaign that uses Ethereum smart contracts to control its operations.
console.error('Ошибка при запуске файла:', error);
Translation: “Installation error:”. This string is logged when an error occurs during the installation or execution of the downloaded file
console.error('Ошибка при получении IP адреса:', error);
Translation: “Error retrieving IP address:”. This string is logged when there is an error while fetching data from the Ethereum smart contract
Attribution is one of the hardest things in threat intelligence but in this case, with a high degree of confidence, we assess that the October 2024 campaign which flooded the npm ecosystem with malware and _lain’s adversarial playbook are directly connected with one another.
In our October 31, 2024 blog, we published a list of hundreds of malicious packages that infiltrated the npm ecosystem using _lain’s TTPs, methodology, tooling, and the threat actor’s Ethereum smart contract and wallet address as part of this novel C2 mechanism. We petitioned the npm registry for removal of all identified malicious packages, and as of this writing we found that these 280 packages were downloaded over 26,000 times, potentially affecting thousands of systems, assembling them into a botnet.
Along with the guide, _lain provided a video demonstration of their steps infiltrating the npm ecosystem with malicious packages. The video shows the sequence of the threat actor’s critical steps in crafting, obfuscating, publishing, and validating the malicious package in a controlled environment. _lain’s video shows how they create a malicious package 1234wdzwkcsf
(downloaded 139 times prior to removal from the npm registry).
Socket detected and flagged malicious 1234wdzwkcsf
package
_lain’s video demonstration of creating and publishing the malicious 1234wdzwkcsf
package
This screenshot from _lain’s demonstration video shows an open Windows command line interface, where the threat actor is executing a Node.js script index.js
located in the MisakaNetwork\genVirusScript
directory. The output shows the creation of a library folder named random-lib-wdzwkcsf
– a randomly generated malicious package directory.
We can see the file package.json
in a Notepad window, which defines the metadata for the newly created malicious package 1234wdzwkcsf
. The file package.json includes a postinstall
script (node install-script.js
), which will execute the install-script.js
file automatically after the package is installed. package.json
file also includes dependencies for HTTP requests (axios
) and for Ethereum smart contract interaction (ethers
).
On the far right, we see a browser window showing a page for YOPmail (yopmail[.]com) – a disposable email address generator, which allows to create random and anonymous, temporary email address and inboxes, which the threat actor used to register a fake account with the npm registry to publish malicious 1234wdzwkcsf
package.
Also, we see that _lain is testing their attack chain using virtual machines and VPNs, maintaining their operational security. The threat actor’s setup demonstrates the use of automation, anonymity tools, and well-planned tactics to execute supply chain attacks through the official npm package repository.
_lain successfully publishing a malicious package to the npm registry
This screenshot from _lain’s demonstration video shows that the threat actor successfully authenticated with the npm registry, and published a malicious 1234wdzwkcsf
package that contains files index.js
– the main entry point for the package, install-script.js
, which contains the malicious postinstall
script for executing nefarious actions during installation, and package.json
, the metadata file containing information about the package and the malicious postinstall
script. We also see that the npm output confirms that the package has been published to the npm registry.
C2 interaction with an infected system
This screenshot from _lain’s demonstration video shows the C2 phase of a botnet operation, where the threat actor is executing commands on an infected bot from a C2 server via a user-friendly GUI. A Windows Server 2022 environment is displayed in the top-left corner, showing the victim’s operating system version details. This is a staged environment used by _lain to test their malware and botnet operations. The right side of the screenshot shows a botnet C2 panel, which includes infected machine’s details (e.g. OS type, version, CPU and memory details).
The Terminal for Bot window at the bottom-right provides a command-line interface to interact with the infected machine. The terminal shows that the threat actor issued a winver
command to verify the Windows version, which we see is confirmed on the victim’s side as Windows Server 2022. The Send Command field allows the threat actor to execute further commands on the infected bot in real-time. The possibilities are wide for the threat actor, who can use this interactive terminal functionality to perform exploratory commands, data exfiltration, or system modifications.
_lain’s video and provided screenshots demonstrate the full lifecycle of a software supply chain attack. From the creation and distribution of malicious npm packages to the compromise of victim systems and the subsequent use of a botnet C2 panel for exploitation and control.
Threat actors are now exploiting decentralized technologies like blockchain to create resilient and hard-to-detect malware, such as using Ethereum smart contracts for C2 in the MisakaNetwork botnet. This evolution in attack strategies significantly escalates software supply chain threats and highlights the urgent need for stronger security measures in open source software supply chains. Understanding adversarial TTPs and the emerging threat landscape is crucial for developers and organizations to enhance their security protocols, protect their systems, and prevent potential data breaches and malware proliferation.
By sharing detailed guides and code on dark web forums, the barrier to entry for conducting software supply chain attacks is lowered, potentially leading to more widespread adoption of these techniques. The use of blockchain-enabled botnets and C2 mechanisms indicates a shift towards decentralized control in malware operations, complicating mitigation efforts. Advanced obfuscation and cross-platform capabilities make it difficult for security tools to detect and attribute attacks, prolonging the life cycle of the malware.
The threat actor’s observations about the npm ecosystem highlight critical vulnerabilities: the obfuscation of JavaScript code, making it difficult to detect malicious behavior, and the complexity of package dependencies, which prevents developers from thoroughly auditing nested packages. Socket directly addresses these issues with tools designed to protect developers at every stage of the software supply chain.
Below are the threat actor’s statements, alongside how Socket protects organizations and developers from attackers exploiting these specific vulnerabilities in the npm ecosystem.
“JavaScript is an interpreted language, and you can obfuscate the build code in countless ways, keeping it undetected almost at all times. Bots that I submitted to VirusTotal three months ago remain undetected”.
💡 Socket combats this challenge with its real-time malware detection, which scans every dependency in a pull request for suspicious behaviors, including obfuscated code and unusual postinstall scripts. By identifying risks before they reach your project, Socket prevents malicious bots like those described by the threat actor from going unnoticed.
“Developers can’t check everything, because in JavaScript, one package depends on ten other packages. Who is going to check this matryoshka?”
💡 Socket’s tools shine in their ability to analyze deeply nested dependencies. The Socket CLI wraps npm commands to scan packages and their transitive dependencies before they are written to disk. It ensures that even hidden threats buried within the “matryoshka” of dependencies are flagged, giving developers control over whether to proceed.
npm install
by proactively analyzing all dependencies, including nested ones, for potential risks.npm install -g socket
socket npm install react
By integrating Socket’s tools into your workflow, you can effectively mitigate the vulnerabilities described by the threat actor and used in their adversarial playbooks. Protect yourself from obfuscated malware and typosquatting attacks while maintaining trust in your dependencies. Install Socket today to secure your projects against modern supply chain threats.
Ethereum Smart Contract Address:
Ethereum Wallet Address:
Malicious npm Packages:
Malicious Windows Executable (node.exe):
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.