SUMMARY
- Malicious NPM Package Identified: “ethereumvulncontracthandler” disguises as a vulnerability scanner but installs Quasar RAT malware.
- Technical Details: The package uses obfuscation and downloads scripts to modify Windows settings, ensuring persistence and communication with a command-and-control server.
- Quasar RAT Risks: This malware enables keystroke logging, credential theft, and data breaches, posing significant risks to developers handling sensitive Ethereum projects.
- Supply Chain Attack: The package exploits trust in dependencies, infiltrating systems through a seemingly legitimate tool.
- Prevention Tips: Experts recommend strict vetting of third-party code, robust access controls, and dependency scans to secure the software supply chain.
Cybersecurity researchers at Socket recently uncovered a malicious NPM package, “ethereumvulncontracthandler,” posing as a legitimate tool for detecting vulnerabilities in Ethereum smart contracts. However, this package secretly installs Quasar RAT, a sophisticated remote access trojan, onto developers’ systems.
This malicious package was published on December 18, 2024, by an actor using the alias “solidit-dev-416.” Further probing revealed that it utilizes heavy obfuscation techniques like Base64 and XOR encoding to evade detection. Upon installation, it downloads a malicious script from a remote server, which silently executes to deploy Quasar RAT on Windows systems.
The threat actor has employed various deceptive tactics to ensure the malware’s persistence. The initial npm package serves as a loader, and retrieves/executes Quasar RAT from a remote server. Once executed, the malicious script runs hidden PowerShell commands and installs Quasar RAT.
For this purpose, it also modifies the Windows registry to ensure persistence. The infected machine then communicates with a command-and-control server at captchacdncom:7000, allowing the threat actor to maintain control and potentially spread the infection further.
For your information, Quasar RAT is a dangerous malware known for its extensive capabilities such as keystroke logging, screenshot capturing, and credential harvesting. It has become a significant threat to developers, potentially exposing private keys and sensitive information.
Another malware campaign targeting Roblox developers was recently discovered, which leveraged NPM packages to steal sensitive data and compromise systems. The campaign also involved dropping Quasar RAT payloads.
Such incidents highlight the need for developers to be vigilant, scrutinize third-party code, especially from unknown sources, and use tools to monitor dependencies for potential threats. This proactive identification and mitigation of malicious packages can help safeguard systems and prevent malicious actors from infiltrating.
“For both individual developers and large organizations, the presence of Quasar RAT in a trusted environment can have catastrophic consequences. Ethereum developers, in particular, face the risk of exposing private keys and credentials linked to significant financial assets,” researchers noted in their blog post.
Commenting on this, Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM), told Hackread, “Ethereum smart contracts are the backbone of decentralized applications. This malicious NPM package disguises itself as a vulnerability scanner but installs Quasar RAT to monitor sensitive projects, steal data, and undermine systems. Security teams must validate unverified code, monitor registry changes, and watch for abnormal network activity.“
RELATED TOPICS
- Supply Chain Attack Hits Vant npm Packages with Monero Miner
- Luna Grabber Malware Hits Roblox Devs Through npm Packages
- Hackers Use Fake PoCs on GitHub to Steal WordPress, AWS Keys
- FortiGuard Labs: Series of Malicious NPM Packages Stealing Data
- Protestware Uses npm Packages to Call for Peace in Gaza, Ukraine
