A malicious npm package has been posing as a tool for detecting bugs in Ethereum smart contracts, but instead deploys Quasar RAT onto the machines of developers.
Socket’s research team explained in a blog post that the package retrieves a malicious script from a remote server, executing Quasar RAT silently to deploy it on Windows systems.
The researchers said Quasar RAT has circulated in cybercrime and APT campaigns since July 2014. Along with facilitating remote access, it offers a robust suite of capabilities, including keystroke logging, screenshot capturing, credential harvesting, and file exfiltration.
“For both individual developers and large organizations, the presence of Quasar RAT in a trusted environment can have catastrophic consequences,” wrote the Socket researchers. “Ethereum developers, in particular, face the risk of exposing private keys and credentials linked to significant financial assets.”
Ethereum smart contracts are self-executing pieces of code running on a blockchain, forming the backbone of many decentralized business applications, explained Jason Soroko, senior fellow at Sectigo. By targeting developers who work closely with smart contracts, Soroko said the attackers can discreetly monitor sensitive projects, steal information, and potentially undermine decentralized systems.
“Security teams must validate code from unverified sources, monitor registry changes, and watch for abnormal network connections to mitigate these threats,” said Soroko.
Patrick Tiquet, vice president of security and architecture at Keeper Security, said this incident qualifies as a supply chain attack because it exploits vulnerabilities in the dependencies organizations rely on. It targets an upstream tool to reach downstream victims, and highlights the sophisticated tactics cybercriminals are using to exploit the trust placed in third-party resources.
“By injecting the Quasar RAT trojan into a seemingly legitimate specialized package used for detecting vulnerabilities, the threat actor gains an easy entry point into an organization’s network,” said Tiquet. “To defend against these types of threats, organizations must implement robust privileged access controls and secrets management to protect sensitive credentials like API keys.”
