Introduction
Between October 31 and November 3, 2024, the Tianwen Software Supply Chain Analysis Platform detected a sophisticated attack targeting the npm ecosystem. This attack leveraged Ethereum smart contracts to conceal malicious command-and-control (C2) infrastructure while deploying multi-stage payloads to compromise victim systems.
Developed by Qi An Xin Technology's Star Atlas Lab, the Tianwen platform provides continuous monitoring of Python, npm, and other major development ecosystems, identifying numerous malicious packages and attack patterns.
Attack Timeline Analysis
Initial Testing Phase (October 2024)
October 21: Attackers published
haski, a typosquatting package mimicking the popularhuskytool- Contained
postinstallhook executing heavily obfuscated code (install-script.js) - Published by user
[email protected]
- Contained
Same Day: Second package
jest-fet-mockreleased with identical malicious logic- Published via anonymous ProtonMail account (
[email protected])
- Published via anonymous ProtonMail account (
October 23: Third test package
1234wdzwkcsfappeared- Used disposable email domain (
@mail.3a88.dev)
- Used disposable email domain (
Mass Deployment Phase (Late October - Early November 2024)
Attackers launched 34 additional malicious packages with these characteristics:
- Each published by unique accounts
- Gmail addresses following patterned naming (e.g.,
[email protected]) - Legitimate-looking metadata mirroring popular packages
- Modified script names (
os44oz5q.cjsinstead ofinstall-script.js) - Added dependencies (
axiosandethers) for malicious functionality
Technical Breakdown
Obfuscated Payload Delivery
All packages contained identical obfuscated code that:
- Fetched dynamic C2 addresses from Ethereum smart contracts
Downloaded platform-specific payloads:
- Windows:
node-win.exe - Linux:
node-linux - macOS:
node-macos
- Windows:
// Simplified payload download logic
const getDownloadUrl = (c2Address) => {
switch(os.platform()) {
case 'win32': return `${c2Address}/node-win.exe`;
case 'linux': return `${c2Address}/node-linux`;
case 'darwin': return `${c2Address}/node-macos`;
}
}Ethereum Smart Contract C2 Mechanism
Attackers used contract address 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b with:
getString()function to retrieve current C2 URLsetString()function to dynamically update addresses- Wallet owner
0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84
// Contract interaction example
const contract = new ethers.Contract(
'0xa1b40044EBc2794f207D45143Bd82a1B86156c6b',
['function getString(address) public view returns (string)'],
provider
);C2 Address Rotation History
| Date | Address | Purpose |
|---|---|---|
| Sep-23 | http://localhost:3001 | Initial testing |
| Sep-24 | http://45.125.67.172:1228 | First live test |
| Oct-21 | http://45.125.67.172:1337 | Active during haski deployment |
| Oct-26 | http://194.53.54.188:3001 | Currently active endpoint |
👉 See real-time blockchain transactions
Attack Attribution
Indicators of Russian Origin
Russian-language error messages in unobfuscated code:
Ошибка при получении IP адреса(IP address retrieval error)Ошибка установки(Installation error)
- C2 infrastructure hosted on Russian cloud provider iHor
Key Security Implications
- Blockchain-Abusing Tactics: First documented case using smart contracts for dynamic C2 in supply chain attacks
Evasion Advantages:
- No gas costs for read operations
- Fully decentralized infrastructure
- Real-time address updates
Detection Challenges:
- Traditional IP/DNS blocking becomes ineffective
- Requires blockchain transaction monitoring
👉 Learn about advanced threat detection
FAQs
Q: How can developers protect against such attacks?
A: Implement these protective measures:
- Verify package maintainer history
- Use lockfiles with integrity hashes
- Scan for postinstall scripts
- Monitor network connections during installation
Q: Why is this attack method significant?
A: It represents an evolutionary leap in malware C2 techniques by:
- Leveraging blockchain's immutable nature
- Eliminating centralized infrastructure
- Enabling real-time infrastructure rotation
Q: What should organizations do if they've installed these packages?
A: Immediate actions include:
- Isolate affected systems
- Rotate all credentials
- Conduct memory analysis for payload artifacts
- Review blockchain interactions from compromised hosts
Conclusion
This attack demonstrates the increasing sophistication of software supply chain threats, combining:
- Typosquatting tactics
- Advanced obfuscation
- Blockchain-based C2 infrastructure
- Professional operational security
The Tianwen Software Supply Chain Security Platform continues to monitor such advanced threats across open-source ecosystems.
IOCs (Indicators of Compromise)
Smart Contracts
- Address:
0xa1b40044EBc2794f207D45143Bd82a1B86156c6b - Wallet:
0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84
Network Indicators
http[:]//45[.]125[.]67[.]172[:]1228http[:]//194[.]53[.]54[.]188[:]3001
File Hashes
- Windows:
5ded160d97657902a14ecca95acfb01c7bf957d1 - Linux:
2addf6ef678f9f663b00e13e3bb2fa0a37299dd0 - macOS:
7ac12ba9822df1f6652fd3dd67f61e026719a76a