When you purchase through links on our site, we may earn an affiliate commission.Heres how it works.
The packages are typosquatted versions of Puppeteer and Bignum.js.
The binary shipped to the machine is a packed Vercel package, the researchers explained.
(Image credit: Shutterstock)
An apparent oversight by the malicious package author, they say.
This is, once again, a persistent reminder that supply chain attacks are alive and well.
The IP cannot be seen in the first-stage code.
Instead, the code will first access an Ethereum smart contract, where the IP is stored.
Software developers, particularly those working in the Web3 space, are often targets of such attacks.
Therefore, double-checking the names of all downloaded packages is a must.
ViaArs Technica
