A VS Code extension for Ethereum smart contract development, ETHcode, was compromised through a GitHub pull request. The attacker, using a newly created account, submitted a PR that introduced a malicious dependency and code to execute it. The compromise was subtle, involving only two lines of code changes among thousands. The malicious code downloads and runs a batch script from a public file-hosting service, potentially to steal crypto assets or compromise Ethereum contracts. The extension, with nearly 6,000 installs, was removed from the marketplace after discovery. This incident highlights the importance of carefully reviewing contributions, especially from new accounts, and scrutinizing package dependencies in software development workflows. Author: AlienVault
Related Tags:
ethereum
javascript obfuscation
pull request
keythereum-utils
ethcode
T1553.006
T1195.001
T1204.002
T1059.001
Associated Indicators:
0A9B47D707E167AF384403AF7C466EB43D46F343
442CAC64CD5E7783503970C446A1D0D0A0DAB69D
8F93077E8193996FC096DE359401A8E9AA6FFC7F
E37ADAFDE5E03001172663256CF3D480E3765B91
933967DB50602A058BD1764C44FC98305866E89E
351A25BD647587AAF76BD8A303A687BB6AD79F8F