Hackers Capitalize on Vulnerabilities in Ethereum Supply Chain Contracts

In a recent cybersecurity incident, a sophisticated campaign was uncovered that combined blockchain technology and traditional software repositories for a supply chain attack. The incident, which primarily targeted developers and users in the cryptocurrency sector, involved the deployment of rogue npm packages and the manipulation of GitHub repositories.

The malicious GitHub projects, disguised as automated cryptocurrency trading bots, were found to be a front for a more sinister operation. Thousands of code commits, multiple stars, and numerous active contributors were shown by these projects, creating an illusion of legitimacy. However, a deeper analysis revealed that the activity behind the commits was fabricated.

The accounts behind the commits were sockpuppets, all created around the same period as the npm packages. Genuine changes in the projects were limited to code that executed and downloaded the rogue npm dependencies. Two such malicious npm packages, colortoolsv2 and mimelib2, were identified by ReversingLabs in July.

These npm packages facilitated the download of malware payloads. The malicious code connected to the Ethereum blockchain to retrieve hidden URLs stored in Ethereum smart contracts. The URLs, in turn, facilitated the download of secondary malware payloads, with the smart contracts repurposed as a tool to distribute malicious links covertly.

The investigation showed that the attackers utilized Ethereum smart contracts to hide these URLs containing the secondary malware payloads. The infrastructure used for these commits appeared automated, with thousands being added daily.

The manipulated GitHub repositories were associated with supply-chain attacks and social engineering, but the search results do not specify a particular group or person behind this. While North Korean APT groups have been observed using AI tools in cyber activities, and Russian threat actors have minimal involvement with AI-based malware, there is no direct attribution to these repos.

The campaign emphasizes the importance of rigorous due diligence when integrating open-source software into projects. Verifying the authenticity of maintainers and their contributions is crucial in preventing such incidents. As the sophistication of repository-based attacks continues to grow, it is essential for the cybersecurity community to remain vigilant and proactive in safeguarding digital assets.