A new supply chain attack targets hundreds of widely used Node Package Manager (NPM) repositories, including Puppeteer, Bignum.js, and cryptocurrency-related packages. The attack aims to infect developers’ systems by exploiting the code libraries they depend on.
The attack involves ‘typosquatting,’ a technique where threat actors name the malicious packages to closely resemble the legitimate ones. Usually, the names contain slight alterations not noticed by developers.
Once installed, the malicious packages deploy a new, complex strategy to conceal the IP addresses used for the second-stage malware payloads. They rely on the Ethereum blockchain to hide these details. Instead of embedding the IP addresses directly in the first-stage code, the malware contacts an Ethereum smart contract to retrieve an IP address.
This approach taps into the decentralised and immutable nature of the blockchain to fetch the IP string.
According to researchers, the retrieved address leads infected devices to a remote server, allowing attackers to execute additional instructions. Interestingly, the immutable records on Ethereum also make it possible to trace all previous IP addresses used by attackers — something the threat actors may not have participated.
The IP addresses linked to the attackers’ servers have changed over time, with past addresses documented by researchers starting from localhost to various external IPs over the last several weeks, reports Ars Technica.
The current IP address in use is hxxp://193.233[.]201.21:3001, following several previous addresses recorded in September and October. Researchers emphasise that the malicious packages are designed to persist on infected devices.
Distributed as a packed Vercel package, the payload operates directly in memory, ensuring it can reload with every system restart. Once active, the malware contacts the IP retrieved from Ethereum and initiates requests to obtain additional JavaScript files.
These files gather and transmit detailed system information back to the command-and-control server. The data includes machine-specific details such as GPU and CPU information, memory capacity, OS version, and user credentials.
To mitigate these risks, developers are advised to double-check package names and hashes before installation, ensuring they don’t fall victim to cleverly disguised malicious packages. Heightened vigilance and improved repository monitoring are critical steps in countering these threats, especially as open-source supply chain attacks show no signs of abating.
In the News: Chinese state-sponsored hackers breached Singtel in June