An ongoing attack is uploading hundreds of malicious packages to the open source node package manager (NPM) repository in an attempt to infect the devices of developers who rely on code libraries there, researchers said.
The malicious packages have names that are similar to legitimate ones for the Puppeteer and Bignum.js code libraries and for various libraries for working with cryptocurrency. The campaign, which was active at the time this post was going live on Ars, was reported by researchers from the security firm Phylum. The discovery comes on the heels of a similar campaign a few weeks ago targeting developers using forks of the Ethers.js library.
Beware of the supply chain attack
“Out of necessity, malware authors have had to endeavor to find more novel ways to hide intent and to obfuscate remote servers under their control,” Phylum researchers wrote. “This is, once again, a persistent reminder that supply chain attacks are alive and well.”
When installed, the malicious packages use a novel way to conceal the IP address the devices contact to receive malicious second-stage malware payloads. The IP address doesn’t appear in the first-stage code at all. Instead, the code accesses an ethereum smart contract to “fetch a string, in this case an IP address, associated with a specific contract address on the Ethereum mainnet.” Short for main network, a mainnet is the primary blockchain network supporting a cryptocurrency such as ethereum where transactions occur. The ethereum mainnet is explained in more detail here.