Malicious Obfuscated NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT
Summary:
Researchers have discovered a malicious npm package, ethereumvulncontracthandler, masquerading as a library for detecting vulnerabilities in Ethereum smart contracts. Published on December 18, 2024, by a user named "solidit-dev-416," this package secretly deploys Quasar RAT, an open-source remote access trojan, onto developer systems. As of now, the package has been downloaded 66 times. Upon installation, it retrieves a malicious script from a remote server, bypassing sandbox detection mechanisms and executing obfuscated code to resist analysis. The malicious script fetches and executes a second-stage payload via a remote server, launching PowerShell commands to initiate Quasar RAT. This sophisticated attack demonstrates advanced evasion techniques, such as Base64 and XOR encoding and multi-layered obfuscation.
Once installed, Quasar RAT establishes persistence by modifying Windows Registry settings and contacts a command-and-control server. Then the trojan enables attackers to fully compromise the victim's machine, granting surveillance and control capabilities, exfiltrating sensitive information, and potentially managing multiple infected systems as part of a botnet. Originally released in 2014, Quasar RAT has been widely used in cybercrime and espionage, making it a significant threat in this campaign.
Security Officer Comments:
This discovery highlights the growing risks associated with open-source software supply chains, where malicious packages infiltrate trusted platforms like npm. Compounding these risks is a related phenomenon: the manipulation of GitHub star counts to falsely boost the credibility of repositories. A study by Socket, alongside researchers from Carnegie Mellon University and North Carolina State University, revealed a surge in fake GitHub stars used to promote repositories distributing malware, pirating software, game cheats, and cryptocurrency bots. These fake stars are sold by black-market merchants like Baddhi Shop, where 1,000 stars can be purchased for $110. While the majority of fake-starred repositories are short-lived and not widely adopted, their existence underscores the unreliable nature of star counts as a metric for repository trustworthiness. Researchers suggest that GitHub should implement weighted metrics, such as network centrality, to better reflect repository quality and make manipulation harder. GitHub has acknowledged the issue and continues to work on removing fake accounts and starrers from the platform.
Suggested Corrections:
Development teams should scrutinize all third-party code they bring into their projects, especially if it claims advanced functionalities or comes from relatively unknown authors. Monitoring network traffic for unusual outbound connections and investigating unexpected file modifications can help detect compromised environments early.
Link(s):
https://thehackernews.com/2025/01/malicious-obfuscated-npm-package.html
https://socket.dev/blog/quasar-rat-disguised-as-an-npm-package
Researchers have discovered a malicious npm package, ethereumvulncontracthandler, masquerading as a library for detecting vulnerabilities in Ethereum smart contracts. Published on December 18, 2024, by a user named "solidit-dev-416," this package secretly deploys Quasar RAT, an open-source remote access trojan, onto developer systems. As of now, the package has been downloaded 66 times. Upon installation, it retrieves a malicious script from a remote server, bypassing sandbox detection mechanisms and executing obfuscated code to resist analysis. The malicious script fetches and executes a second-stage payload via a remote server, launching PowerShell commands to initiate Quasar RAT. This sophisticated attack demonstrates advanced evasion techniques, such as Base64 and XOR encoding and multi-layered obfuscation.
Once installed, Quasar RAT establishes persistence by modifying Windows Registry settings and contacts a command-and-control server. Then the trojan enables attackers to fully compromise the victim's machine, granting surveillance and control capabilities, exfiltrating sensitive information, and potentially managing multiple infected systems as part of a botnet. Originally released in 2014, Quasar RAT has been widely used in cybercrime and espionage, making it a significant threat in this campaign.
Security Officer Comments:
This discovery highlights the growing risks associated with open-source software supply chains, where malicious packages infiltrate trusted platforms like npm. Compounding these risks is a related phenomenon: the manipulation of GitHub star counts to falsely boost the credibility of repositories. A study by Socket, alongside researchers from Carnegie Mellon University and North Carolina State University, revealed a surge in fake GitHub stars used to promote repositories distributing malware, pirating software, game cheats, and cryptocurrency bots. These fake stars are sold by black-market merchants like Baddhi Shop, where 1,000 stars can be purchased for $110. While the majority of fake-starred repositories are short-lived and not widely adopted, their existence underscores the unreliable nature of star counts as a metric for repository trustworthiness. Researchers suggest that GitHub should implement weighted metrics, such as network centrality, to better reflect repository quality and make manipulation harder. GitHub has acknowledged the issue and continues to work on removing fake accounts and starrers from the platform.
Suggested Corrections:
Development teams should scrutinize all third-party code they bring into their projects, especially if it claims advanced functionalities or comes from relatively unknown authors. Monitoring network traffic for unusual outbound connections and investigating unexpected file modifications can help detect compromised environments early.
Link(s):
https://thehackernews.com/2025/01/malicious-obfuscated-npm-package.html
https://socket.dev/blog/quasar-rat-disguised-as-an-npm-package