Hacker inserted malicious pull request into code extension Ethereum Developer, according to researchers at cybersecurity company ReversingLabs.
The malicious code has been inserted into an update to Ethcode, an open source suite of tools that Ethereum Devs uses to build and deploy EVM compatibility. Smart Contract and Dapp.
The ReversingLabs blog revealed that two malicious lines of code have been buried in GitHub Pull requests, including 43 commits and 4,000 update lines, primarily related to adding new testing frameworks and features.
This update was added to GitHub on June 17 by Airez299, a user who had no previous history.
The pull requests were analyzed by the AI reviewer on Github and members of 7finney, the group responsible for creating Ethcode.
Neither the 7finney nor the AI scanner found anything suspicious.
Airez299 was able to obscure the nature of the code by giving it a name similar to the name of the existing file, and giving it a name similar to the name of the code itself.
The second line of code works to activate the first line. This is ultimately intended to create an automatic function (PowerShell) that downloads and manipulates batch scripts from a public file hosting service, according to ReverSingLabs.
ReverSingLabs is still investigating what exactly this script does, but it works under the assumption that “it is intended to steal crypto assets stored on the victim’s machine or to infringe on an Ethereum contract under development by users of the extension.”
I’ll talk Decryptionblog author Petar Kirhmajer reported that Reversal Love had no indication or evidence that malicious code was actually being used to steal tokens and data.
However, Kirhmajer wrote in his blog that Ethcode has 6,000 installations and pull requests that were deployed as part of an automatic update can spread “to thousands of developer systems.”
This is potentially concerning, and some developers suggest that this type of exploit will do a lot with cryptography given the industry’s heavily reliant on open source development.
“There’s too much code and I don’t have enough eyes for it.”
According to Zak Cole, co-founder of Ethereum Developer and Number Group, many developers install open source packages without proper checking.
“It’s too easy for someone to let something malicious,” he said. Decryption. “NPM packages, browser extensions, etc.”
Recent famous examples of this include the December 2023 Ledger Connect Kit Exploit and the discovery of Malware, Solana’s Web3.js open source library, last December.
“There’s too much cord and I don’t have enough eyes,” adds Cole. “Most people just think things are safe because they’re popular or they’ve been around for a while, but that doesn’t mean anything.”
Cole asserts that this kind of thing is nothing particularly new, but that “the surface of an addressable attack is spreading.” Because more developers are using open source tools.
“Also, remember that there is an entire warehouse full of DPRK operatives, where full-time jobs are to carry out these exploits,” he says.
Cole suggests that there is more malicious code lurking than most developers probably notice, Kirhmajer said Decryption It was, in his estimation, “A successful attempt is extremely rare.”
This leads to the question of what can be done to reduce the likelihood that developers will use compromised code, and Reversal Love recommends checking the identity and history of contributors before downloading anything.
The company also suggested reviewing files such as package.json to evaluate new dependencies. This is something that Zak Cole advocates.
“What’s useful is locking down dependencies, so you don’t pull on something random and new every time you build it,” he said.
Cole also recommends using tools to scan strange behaviors and rough maintainers, looking for packages that may suddenly change hands or update from blue.
“Also, don’t run signing tools or wallets on the same machine you use to build things,” he concluded. “Suppose nothing is safe unless you check it or sandbox it.”
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
