Npm as obfuscation layer for GitHub marketing campaign
The ReversingLabs researchers found two rogue npm packages referred to as colortoolsv2 and mimelib2 that used Ethereum sensible contracts for malware supply in July. However not a lot effort was put into making these packages look reputable and enticing for builders to incorporate of their tasks, which is normally the purpose of provide chain assaults with rogue npm packages.
The colortoolsv2 package deal — and the mimelib2 one which later changed it — contained solely the recordsdata wanted to implement the malicious performance. Because the researchers later discovered, this was as a result of they had been half of a bigger coordinated marketing campaign, the main focus of which was to trick customers into working code from faux GitHub repositories that will then obtain the npm packages robotically as dependencies.
The rogue GitHub repositories claimed to be for automated cryptocurrency buying and selling bots and had been crafted to look reputable. They appeared to have a number of lively contributors, 1000’s of code commits, and a number of stars, however these had been all faked with sockpuppet accounts created across the similar time because the npm packages popped up.
