Cybercriminals have engineered a novel malware distribution method: leveraging
According to findings detailed in a report by Lucija Valentić from ReversingLabs, two potentially harmful software packages were discovered within the Node Package Manager (NPM), a popular repository for JavaScript code modules.
These packages, dubbed “colortoolsv2” and “mimelib2,” were uploaded in July and crafted to mimic legitimate utilities.
Did you know?
Subscribe – We publish new crypto explainer videos every week!
What is a Crypto Bull Run? (Animated Explainer + Prediction)
These packages served as basic downloaders. Upon installation, each package would query the Ethereum blockchain, retrieving data from a designated smart contract. This data contained the network location of a secondary piece of malware, which was then downloaded and executed.
This approach effectively circumvented standard security measures, as the packages lacked any directly embedded malicious links or file references.
Valentić noted that while the misuse of Ethereum contracts isn’t new, this particular technique is unique. Rather than housing the malware directly, the smart contract functioned as a pointer, providing the address where the malicious code could be retrieved.
The campaign extended beyond NPM, also utilizing a fraudulent open-source project hosted on GitHub. The perpetrators created a bogus cryptocurrency trading bot, complete with fabricated updates, comprehensive documentation, and multiple fake user accounts to foster a sense of legitimacy and activity.
On September 1st, Yu Xian from SlowMist reported a theft of WLFI tokens from Ethereum wallets exploiting Ethereum’s EIP-7702 feature. To learn more: Read the full story.