A recent discovery by cybersecurity researchers has shown that software development workflows are easy targets for threat actors looking to compromise legitimate software modules to steal crypto.
Cybersecurity firm ReversingLabs (RL) found that GitHub user Airez299 had compromised ETHcode, an extension created by 7finney, a developer of ethereum blockchain tools, by adding just two lines of code, which were hidden in a legitimate-looking GitHub pull request.
While RL is still investigating this case, they said that "it’s not far-fetched to assume that the second-stage malware is intended to steal crypto assets stored on the victim's machine or, alternatively, compromise the ethereum contracts under development by users of the extension."
The researchers said that the malicious extension was removed from Microsoft's Visual Studio Marketplace, while ETHcode was updated on July 1st, removing the malicious code.
However, RL emphasized that, at first, the malicious code wasn't caught by any of the systems. It was even reviewed by 7finney and scanned by GitHub’s Copilot AI reviewer.
"That is not surprising. At first look, Airez299’s pull request didn’t actually add malicious code to the ETHcode module’s codebase. The changes are mostly fixes and updates for the existing code," RL said, adding that among the 43 commits and about 4,000 lines changed, there were two lines of code "that, together, would compromise the entire project and the corresponding VS Code extension."
The researchers estimate that with nearly 6,000 installs, ETHcode has potentially spread the malware "to thousands of developer systems that make up its userbase" and could potentially infect even more systems. It's unknown whether any crypto users have already lost their cryptoassets due to this campaign.
RL suggested that software supply chain attacks can be avoided by, for example, manually verifying the identity and history of contributors and reviewing files like package.json to identify and assess newly introduced dependencies.
So far, the investigation has shown that the Airez299 account, responsible for this attack, was created on the same day the pull request was opened on GitHub.
"This strongly indicates that this is a throwaway account that was created solely for the purpose of infecting this repo – a goal in which they were successful," RL concluded.
Your email address will not be published. Required fields are markedmarked