Security researchers have uncovered a deceptive package on the npm registry that poses as an Ethereum smart contract vulnerability detector but actually deploys the Quasar RAT malware. The package, named “ethereumvulncontracthandler,” was published on December 18, 2024, and has recorded 66 downloads.
Technical Analysis:
– The package employs sophisticated obfuscation techniques, including Base64- and XOR-encoding
– It performs sandbox detection to avoid analysis
– Upon installation, it downloads and executes malicious scripts from “jujuju[.]lat”
– The Quasar RAT establishes persistence through Windows Registry modifications
– Command-and-control communications occur through “captchacdn[.]com:7000”
GitHub Star Manipulation Study:
– Research by Socket, Carnegie Mellon University, and NC State University reveals widespread fake star campaigns
– Approximately 4.5 million fake stars identified across 1.32 million accounts and 22,915 repositories
– Black market services sell GitHub stars (1,000 stars for $110)
– 60% of accounts involved show minimal legitimate activity
– Malicious repositories often masquerade as pirating software, game cheats, and crypto bots
Security Implications:
– Star count proves unreliable as a metric for repository quality
– Few repositories with fake stars appear in package registries like npm and PyPI
– Researchers recommend implementing weighted metrics for repository popularity
– GitHub acknowledges the issue and actively works to remove fake engagement
The findings highlight ongoing security challenges in the open-source software supply chain and the need for better authentication measures.