Npm as obfuscation layer for GitHub campaign

The ReversingLabs researchers discovered two rogue npm packages called colortoolsv2 and mimelib2 that used Ethereum smart contracts for malware delivery in July. But not much effort was put into making those packages look legitimate and attractive for developers to include in their projects, which is usually the goal of supply chain attacks with rogue npm packages.

The colortoolsv2 package — and the mimelib2 one that later replaced it — contained only the files needed to implement the malicious functionality. As the researchers later found, this was because they were part of a larger coordinated campaign, the focus of which was to trick users into running code from fake GitHub repositories that would then download the npm packages automatically as dependencies.

The rogue GitHub repositories claimed to be for automated cryptocurrency trading bots and were crafted to look legitimate. They appeared to have multiple active contributors, thousands of code commits, and multiple stars, but these were all faked with sockpuppet accounts created around the same time as the npm packages popped up.