-
Hackers Using Ethereum Smart Contracts to Deliver Malware: Report
Software security firm ReversingLabs has identified two open-source code packages that use Ethereum smart contracts to download malware. It forms part of a “sophisticated campaign” of malicious actors attempting to hack users via poisoned blockchain-related public code libraries—a vector of attack Binance has previously linked to North Korean hackers.
The two Node Package Manager (NPM) libraries, or packages, called colortoolsv2 and mimelib2, were effectively identical in that they contained two files, one of which would run a script that downloads the second half of the malware attack via an Ethereum smart contract. NPM packages are collections of reusable, open-source code that developers will frequently use.
Software threat researcher at ReversingLabs noted that the use of smart contracts was “something we haven’t seen previously.”
“‘Downloaders’ that retrieve late-stage malware are being published to the npm repository weekly—if not daily,” it was stated. “What is new and different is the use of Ethereum smart contracts to host the URLs where malicious commands are located, downloading the second-stage malware.”
These two packages were just the tip of the iceberg, as ReversingLabs found a larger campaign of poisoned packages across GitHub. The security firm discovered a network of GitHub repositories that were connected to the aforementioned malicious package colortoolsv2. Most of the network was branded as crypto trading bots or token sniping tools.
BNB Whale Drained of $13.5M in DPRK-Linked Phishing Attack
Even though the NPM package wasn’t very sophisticated, there was much more effort put into making the repositories holding the malicious package look trustworthy.
It was explained in the report that some repositories had thousands of commits, a good number of stars, and a couple of contributors, which could lead a developer to trust it. But ReversingLabs believes that most of this activity was faked by the attackers.
“It is especially dangerous because programmers wouldn't think it'd be an issue when they use publicly maintained codebases. It could be the assumption that open source equals public monitoring equals safety. It could be simply that one is unable to check every code he is using as he did not write it, and it would take so much time to do so.”
Binance links NPM poisoning to DPRK
Major centralized exchange Binance reported awareness of such attacks and emphasizes checking NPM libraries thoroughly as a result.
Binance’s chief security officer explained that package poisoning is a growing vector of attack for North Korean hackers, identified as the most significant threat to crypto companies.
North Korean hackers are believed to have been responsible for 61% of all crypto stolen in 2024, which totaled $1.3 billion. Since then, the FBI has attributed North Korean attackers to the $1.4 billion Bybit hack, the largest crypto hack of all time.
While the main vector of attack noted is via fake employees, NPM package poisoning is in second place alongside fake interview scams. As a result, major crypto exchanges share intelligence so they can highlight poisoned libraries.
“We are mostly in this alliance on the frontline, so for the first responders, when [there are] hacks or [we need] incident response. We're always in this group, like with other exchanges,” it was explained. “We've been in alliance with those exchanges for years now.”
This article has been published in decrypt.co via Yahoo News.
