54 New NPM Packages Found Beaconing to C2 Server in Ethereum Smart Contract

Veracode Threat Research

By Veracode Threat Research

On 8th January we detected and blocked a malware campaign which targeted Windows hosts, consisting of 42 new malicious NPM packages. An additional 12 related packages were blocked on January 9th, bringing the total to 54 packages.

Infrastructure and Evasion Techniques

The campaign employed several techniques:

  • Dead Drop Resolver: The C2 server URL was stored in an Ethereum smart contract (address: 0x527269621503b08191f2744f666bdd997d14ee2b), which currently shows no transactions. This technique makes takedown efforts more difficult as the infrastructure can be updated without modifying the malware itself.
  • Cloudflare-Fronted C2: The C2 server appears to be protected by Cloudflare and is currently inactive, preventing us from retrieving the second-stage payload.
  • Anti-Analysis Protections: The malware includes environment checks designed to evade sandbox detection, specifically targeting Windows systems with 5 or more CPUs.

Malware Capabilities

The observed first-stage JavaScript payload includes the following capabilities:

  • System fingerprinting and beaconing to C2 infrastructure
  • Machine identifier generation based on hashed system details (hostname, CPU count, total memory, network interfaces, etc.)
  • Registry persistence mechanism via COM hijacking technique
  • Native node module loader (“analytics.node”) which uses an Asynchronous Procedure Call to execute the second-stage payload delivered by the C2

Assessment

Based on the non-targeted nature of the machine identifier generation, this campaign does not appear to be a targeted attack. We suspect this is likely a cryptocurrency stealer or miner operation that may be under development. The campaign appears to have ceased activity because there have been no further packages published recently and the C2 server seems to be dormant. We anticipate the campaign to resurface with modifications and we will update this post if the campaign resumes.

Veracode Customers Remain Protected 

Veracode customers using Package Firewall are shielded from these threats, with the Package Firewall preventing both server- and browser-targeted malware from reaching the SDLC. Customers can also use Software Composition Analysis (SCA) to detect the usage of these malicious packages. 

Veracode’s Supply Chain offerings are designed to protect our customers from these types of attacks with: 

  1. Proactive Threat Monitoring: The Veracode Threat Research Team continuously tracks open-source activity. Automated detection and expert analysis quickly identify anomalous publishing behavior, code obfuscation, and indicators of malware. 
  2. Immediate Blocking: Once a package is confirmed to be malicious, it is programmatically blocklisted. Veracode Package Firewall prevents vulnerable or compromised packages including those from the chalk, debug, and DuckDB campaigns from being installed in customer environments. 
  3. Policy Enforcement: Customers maintain strict controls over allowable packages. Policies enforced by Veracode automatically block introductions of newly compromised packages and prevent execution of malicious scripts. 
  4. Expert Guidance: The team continuously issues updates and actionable recommendations to help organizations respond quickly and confidently when new supply chain threats emerge. 

NPM Attacks Conclusion: Stay Ahead of Advanced Threats 

Veracode empowers you to adopt a proactive, defense-ready stance, protecting your developers, your users, and your business from the next wave of sophisticated supply chain attacks.

Reach out to learn more.

Indicators of Compromise

Ethereum Smart Contracts

  • 0x527269621503b08191f2744f666bdd997d14ee2b

C2 Servers

  • hxxps://staticflow-metrics[.]com

Windows Registry Keys

  • HKCU\Software\Classes\CLSID\{D4E5F6A7-B8C9-0D1E-2F3A-4B5C6D7E8F90}\InprocServer32

NPM Packages

  • analytics-browser@1.0.1
  • anchor-solana@1.0.0
  • anthropic-sdk@1.0.1
  • auth-types@1.0.1
  • babel-js@1.0.1
  • better-sqlite3.js@1.0.1
  • bluebird.js@1.0.1
  • body-parser-js@1.0.1
  • clerk-js@1.0.1
  • client-lambda@1.0.1
  • client-s3@1.0.1
  • client-s3@1.0.2
  • connect-web@1.0.1
  • cookie-parser.js@1.0.1
  • cyrpto@1.0.4
  • experimental-utils@1.0.1
  • firestore-types@1.0.1
  • framer-motion-js@1.0.1
  • gradle-plugin@1.0.1
  • gulp.js@1.0.1
  • huggingface-js@1.0.1
  • hw-app-eth@1.0.1
  • immer-js@1.0.1
  • inquirer-js@1.0.1
  • ioredis.js@1.0.1
  • jsdom-js@1.0.1
  • knex.js@1.0.1
  • llamaindex-js@1.0.1
  • luxon-js@1.0.1
  • milvus-js@1.0.1
  • morgan.js@1.0.1
  • nanoid-js@1.0.1
  • openzeppelin-sdk@1.0.0
  • pako-js@1.0.1
  • pinecone-js@1.0.1
  • plugin-react-swc@1.0.1
  • plugin-vue@1.0.1
  • qdrant-js@1.0.1
  • react-hook-form-js@1.0.1
  • react-query-js@1.0.0
  • replicate-js@1.0.1
  • rxjs-js@1.0.1
  • sign-client@1.0.1
  • storage-types@1.0.1
  • stylus.js@1.0.1
  • supabase-js@1.0.4
  • tailwin@1.0.4
  • terser-js@1.0.1
  • universal-provider@1.0.1
  • viem-js@1.0.4
  • wallet-adapter-react@1.0.1
  • weaviate-js@1.0.1
  • xml2js-js@1.0.1
  • yargs-js@1.0.1
Jan 13, 2026

Vibe Coding and GenAI Security: Balancing Speed with Risk

Read More
Natalie Tischler

Natalie Tischler

Jan 8, 2026

Top 10 Challenges in DevSecOps Adoption

Read More
Natalie Tischler

Natalie Tischler

Jan 6, 2026

Looking Ahead at 2026 with Gartner: How Smarter Teams and Tools Are Making Application Security a Breeze

Read More
Joe Ariganello

Joe Ariganello

Veracode Threat Research

By Veracode Threat Research