A novel marketing campaign targets npm builders by creating numerous typosquatted variations of well-known packages, designed to deceive developers into installing cross-platform malicious software.
The attack stands out for utilizing Ethereum smart contracts as a command-and-control (C2) server for distribution, following revelations from multiple sources, including,,,, and, published over the preceding days.
The exercise was initially flagged on October 31, 2024, despite being in progress for at least seven days beforehand. At least 287 typosquats packages have been registered in the npm package deal registry.
“As the marketing campaign began to take shape, it became evident that an attacker was in the early stages of a typosquatting effort targeting developers seeking to utilize popular tools like Puppeteer, Bignum.js, and various cryptocurrency libraries,” Phylum said.
The packages consist of obfuscated JavaScript code that is executed during the setup process, ultimately leading to the retrieval of a subsequent-stage binary from a remote server, dependent on the operating system used.
The malicious binary, having infiltrated a device for half of its duration, exhibits persistence by maintaining a foothold on the compromised system, then secretly exfiltrates sensitive information related to the affected machine back to the same server.
In a surprising yet intriguing development, the JavaScript code seamlessly communicates with an Ethereum smart contract via the ethers.js library to retrieve the IP address. Here: It’s crucial to note that a marketing campaign, dubbed “Operation Lemonade,” leveraged the same tactic by deploying Binance’s BSC smart contracts to execute the next phase of the attack chain effectively.
As the blockchain’s decentralised architecture makes it challenging to contain a malicious campaign, the perpetrator can dynamically update the contract-served IP addresses in real-time, ensuring the malware effortlessly connects to newly available IP addresses as older ones become inaccessible due to blocking or takedowns?
“According to Checkmarx researcher Yehuda Gelb, attackers gain two significant advantages by leveraging the blockchain: their infrastructure becomes virtually impervious to takedown due to the blockchain’s immutable nature, and the decentralized architecture renders it extremely challenging to block these communications.”
While the identity of those driving the marketing campaign remains unclear, an intriguing discovery by the Socket Risk Analysis Team has shed some light on the matter: error messages written in Russian were found to be embedded in the code for exception handling and logging functions, hinting that the risk actor may possess a working knowledge of the Russian language.
The latest incident underscores the alarming frequency with which malicious actors exploit vulnerabilities in the open-source community, underscoring the imperative for developers to remain acutely aware of potential threats when accessing software packages from public repositories.
“The deployment of blockchain technology in C2 infrastructure enables novel methods of perpetuating chain attacks within the npm ecosystem, rendering the attack infrastructure more resistant to takedown attempts and obscuring detection capabilities,” Gelb noted.
