Cybersecurity researchers have discovered a malicious package on the npm package registry that masquerades as a library for detecting vulnerabilities in Ethereum smart contracts but, in reality, drops an open-source remote access trojan called Quasar RAT onto developer systems.
The heavily obfuscated package, named ethereumvulncontracthandler, was published to npm on December 18, 2024, by a user named “solidit-dev-416.” As of writing, it continues to be available for download. It has been downloaded 66 times to date.
“Upon installation, it retrieves a malicious script from a remote server, executing it silently to deploy the RAT on Windows systems,” Socket security researcher Kirill Boychenko said in an analysis published last month.
The malicious code embedded into ethereumvulncontracthandler is obscured with multiple layers of obfuscation, leveraging techniques like Base64- and XOR-encoding, as well as minification to resist analysis and detection efforts.
The malware also performs checks to avoid running in sandboxed environments, prior to acting as a loader by fetching and executing a second-stage payload from a remote server (“jujuju[.]lat”). The script is designed to run PowerShell commands to initiate the execution of Quasar RAT.
The remote access trojan, for its part, establishes persistence through Windows Registry modifications and contacts a command-and-control (C2) server (“captchacdn[.]com:7000”) to receive further instructions that allow it to gather and exfiltrate information.
Quasar RAT, first publicly released on GitHub in July 2014, has been used for both cybercrime and cyber espionage campaigns by various threat actors over the years.
“The threat actor also uses this C2 server to catalog infected machines, and manage multiple compromised hosts simultaneously if this campaign is part of a botnet infection,” Boychenko said.
“At this stage, the victim’s machine is fully compromised, and is under complete surveillance and control by the threat actor, ready for regular check-ins and to receive updated instructions.”
The Ballooning Problem of Fake Stars on GitHub
The disclosure comes as a new study undertaken by Socket, alongside academics from Carnegie Mellon University and North Carolina State University, has revealed a rapid surge in inauthentic “stars” that are used to artificially inflate the popularity of malware-laced GitHub repositories.
While the phenomenon has been around for some time, the research discovered that the majority of fake stars are used to promote short-lived malware repositories masquerading as pirating software, game cheats, and cryptocurrency bots.
Advertised via GitHub star merchants like Baddhi Shop, BuyGitHub, FollowDeh, R for Rank, and Twidium, the “open” black market is suspected to be behind as many 4.5 million “fake” stars from 1.32 million accounts and spanning 22,915 repositories, illustrating the scale of the problem.
Baddhi Shop, The Hacker News found, lets prospective customers buy 1,000 GitHub stars for $110. “Buy GitHub Followers, Stars, Forks, and Watchers to boost your repository’s credibility and visibility,” a description on the site reads. “Real engagement attracts more developers and contributors to your project!”
“Only a few repositories with fake star campaigns are published in package registries such as npm and PyPI,” the researchers said. “Even fewer are widely adopted. At least 60% of the accounts that participated in fake star campaigns have trivial activity patterns.”
As the open-source software supply chain continues to be an attractive vector for cyber attacks, the findings reiterate that star count alone is an unreliable signal of quality or reputation of GitHub repositories and should not be used without further review.
In a statement shared with WIRED in October 2023, the Microsoft-owned code hosting platform said it’s been aware of the problem for years and that it actively works to remove fake starrers from the service.
“The main vulnerability of star count as a metric lies in the fact that the actions of all GitHub users share equal weight in its definition,” the researchers said.
“As a result, star count can be easily inflated with a high volume of bot accounts or (arguably low reputation) crowdsourced humans, as we have shown in our study. To avoid such exploitation, GitHub may consider presenting a weighted metric to signal repository popularity (e.g., based on dimensions of network centrality), which is considerably harder to fake.”
