EXECUTIVE SUMMARY:
A supply chain attack has been identified involving a compromised version of a widely used DeFi development toolkit available through the npm ecosystem. The affected version was altered to execute unauthorized code upon import, enabling attackers to silently deploy a remote access trojan Minirat on developer systems. It highlights the growing risk of dependency-based attacks within open-source ecosystems, particularly targeting cryptocurrency and Web3 developers.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A supply chain attack has been identified involving a compromised version of a widely used DeFi development toolkit available through the npm ecosystem. The affected version was altered to execute unauthorized code upon import, enabling attackers to silently deploy a remote access trojan Minirat on developer systems. It highlights the growing risk of dependency-based attacks within open-source ecosystems, particularly targeting cryptocurrency and Web3 developers.[emaillocker id="1283"]
The attack was introduced through a tampered version of the SDK where a small amount of malicious JavaScript code was injected into the compiled distribution file. When the package is imported into a project, the code executes immediately and triggers a hidden shell command that retrieves and runs a remote installation script from attacker-controlled infrastructure, which subsequently downloads a platform-specific Go-based payload designed for macOS systems. Once executed, the payload establishes persistence using macOS launch services by disguising itself as a legitimate system-related process. The malware then deploys a fully functional remote access trojan capable of executing arbitrary system commands, exfiltrating files, enumerating system information, and maintaining encrypted communication with command-and-control servers. It also incorporates anti-analysis techniques such as virtual machine detection and execution safeguards to avoid sandboxed environments, while ensuring continuous attacker control through encrypted communication channels and fallback infrastructure.
It demonstrates a highly stealthy and effective software supply chain compromise technique where malicious functionality is embedded directly into trusted library code. By leveraging automatic execution on import and multi-stage payload delivery, the attack bypassed traditional installation-based security monitoring. The incident underscores the critical need for strict dependency validation, integrity verification, and continuous monitoring of third-party packages to mitigate risks associated with modern open-source ecosystems.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| T1204.002 | User Execution | Malicious File | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Stealth | T1497.001 | Virtualization/Sandbox Evasion | System Checks |
| T1027.007 | Obfuscate Files or Information | Dynamic API Resolution | |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1105 | Ingress Tool Transfer | - |
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/minirat-macos-rat-go-npm-supply-chain-malware/
https://safedep.io/malicious-velora-dex-sdk-npm-compromised-rat/
[/emaillocker]