Malicious NPM Package Deploys Quasar RAT on Developer Systems

Malicious software targeting developers has surfaced in the form of an npm package named ethereumvulncontracthandler. Disguised as a tool for detecting Ethereum vulnerabilities, it secretly delivers a powerful remote access trojan (RAT) called Quasar RAT. This threat, first released publicly in 2014, is notorious for enabling cybercrime and espionage campaigns.

The package, uploaded on December 18, 2024, uses advanced obfuscation techniques, such as Base64 encoding, XOR encoding, and minification, to avoid detection. Once installed, it downloads a malicious script from a remote server and silently executes it. This script initiates PowerShell commands to deploy Quasar RAT, which then establishes persistence through Windows Registry modifications. It also connects to a command-and-control (C2) server to receive instructions, enabling attackers to exfiltrate data and maintain control of infected systems.

This malware is also designed to evade sandbox environments. Before fully executing, it performs checks to ensure it runs undetected. Once active, it acts as a loader, fetching and executing additional malicious payloads from servers. These capabilities allow attackers to fully monitor and control victim systems.

The discovery of this package highlights a larger issue in the open-source ecosystem. Researchers uncovered a surge in fake GitHub stars used to promote malware-laden repositories. These stars artificially inflate the popularity of tools such as game cheats, pirating software, and cryptocurrency bots. For instance, GitHub merchants advertise fake stars, selling 1,000 stars for as little as $110. While GitHub actively combats this issue, the misuse of fake stars remains a significant problem.

The findings emphasize that GitHub star counts are unreliable indicators of a repository’s quality. Researchers recommend introducing weighted metrics to better reflect credibility and prevent exploitation by bots and low-reputation accounts.

Preventing Such Threats

To stay safe, developers should only download packages from trusted sources and review the code before installation. Implementing robust security practices, such as sandboxing untrusted applications and regularly updating anti-malware tools, is crucial. Additionally, open-source platforms should prioritize improving repository trust signals to deter attackers.