-
Cybersecurity researchers have uncovered malicious code embedded in a recent update to ETHcode, a widely used open source toolset for Ethereum developers.
-
The hidden code was inserted via a GitHub pull request, cleverly disguised within thousands of lines of legitimate updates, raising concerns about open source software security in the crypto ecosystem.
-
According to Petar Kirhmajer of ReversingLabs, the malicious payload could potentially steal crypto assets or compromise Ethereum smart contracts, though no evidence of active exploitation has been found yet.
ReversingLabs reveals malicious code in ETHcode update, highlighting risks in open source Ethereum tools and urging developers to verify dependencies carefully.
Malicious Code Injection in ETHcode Update Raises Security Alarms
On June 17, a GitHub pull request submitted by a previously unknown user, Airez299, introduced two lines of malicious code into ETHcode, an open source suite designed for Ethereum developers to build and deploy EVM-compatible smart contracts and decentralized applications. The pull request, containing 43 commits and over 4,000 updated lines, primarily focused on adding a new testing framework, which helped mask the malicious additions. ReversingLabs’ investigation revealed that the attacker used obfuscation techniques to hide the first line of code by mimicking the name of an existing file and jumbling its content, making detection difficult for both human reviewers and automated tools.
How the Malicious Code Operates and Its Potential Impact
The second line of the injected code activates the first, which creates an automated PowerShell function designed to download and execute a batch script from a public file-hosting service. While ReversingLabs continues to analyze the script’s exact functionality, preliminary assessments suggest it could be used to steal cryptocurrency assets stored on the victim’s machine or compromise Ethereum contracts under development. Despite the severity of this potential threat, there is currently no evidence that the malicious code has been exploited to steal tokens or sensitive data. However, with ETHcode boasting approximately 6,000 installations, the automatic update mechanism could have propagated the malicious code to thousands of developer systems, amplifying the risk.
Open Source Vulnerabilities and the Growing Attack Surface in Crypto Development
This incident underscores a broader challenge in the crypto industry: the reliance on open source software, which, while fostering innovation and collaboration, also introduces significant security risks. Ethereum developer and NUMBER GROUP co-founder Zak Cole emphasized that many developers install open source packages without thorough vetting, making it “way too easy for someone to slip in something malicious.” He highlighted recent high-profile exploits, including the Ledger Connect Kit breach and malware found in Solana’s web3.js library, as examples of how attackers exploit trust in popular open source projects.
Best Practices for Developers to Mitigate Risks from Malicious Code
To counter these threats, ReversingLabs recommends developers rigorously verify the identity and contribution history of code submitters before integrating updates. Reviewing critical files like package.json to assess new dependencies is also essential. Zak Cole advises locking down dependencies to prevent unvetted code from being pulled in automatically and employing tools that detect suspicious behavior or maintainers. Additionally, developers should monitor for unexpected package ownership changes or sudden updates, which can signal potential compromises. Cole further cautions against running signing tools or wallets on the same machine used for development, advocating for sandboxing and strict operational security measures.
Conclusion
The discovery of malicious code in ETHcode serves as a stark reminder of the vulnerabilities inherent in open source crypto development. While no active exploitation has been confirmed, the incident highlights the need for heightened vigilance and robust security protocols among developers. By adopting stringent verification practices and leveraging security tools, the Ethereum community can better safeguard its ecosystem against similar threats in the future.
