MisakaNetwork: Blockchain Botnet Threatens npm Ecosystem
A recent analysis by security researcher Kirill Boychenko at Socket has unveiled a sophisticated npm malware campaign that blends traditional supply chain attack techniques with modern blockchain technology. The campaign, orchestrated by a threat actor known as “_lain,” seeks to create a decentralized, blockchain-powered botnet called MisakaNetwork. This development poses a serious risk to developers and organizations relying on open-source software.
The attack begins with the insertion of malicious npm packages into the ecosystem. The threat actor employs typosquatting, creating packages with names similar to popular libraries like pretierr (targeting prettier) and neextjs (targeting next). Developers unknowingly install these packages, activating malicious postinstall scripts designed to compromise their systems. As Boychenko notes: “The technique exploits the trust developers place in package managers like npm, where scripts in package.json are often taken at face value without scrutiny. Malicious actions are masked under the guise of a normal package installation lifecycle, reducing suspicion.”
With over 280 malicious packages downloaded more than 26,000 times, the scale of the attack underscores the vulnerabilities in the npm ecosystem.
What makes MisakaNetwork particularly innovative is its use of Ethereum smart contracts for command and control. Instead of relying on static IP addresses, which can be blocked, the botnet dynamically retrieves its C2 server address via blockchain. The fetchAndUpdateIp() function queries a smart contract, making the network more resilient and stealthy.
MisakaNetwork botnet | Image: Socket
“This use of blockchain makes it harder to block, as decentralized networks are challenging to take down. The lack of IP addresses in the client code makes it stealthier and challenging for defenders to detect,” Boychenko explains.
Initially designed for Windows, the botnet was later expanded to target Linux and macOS systems, increasing its versatility and potential impact. “_lain’s” malicious code leverages tools like Node.js to run in the background, suppressing the GUI to avoid detection. Persistence mechanisms tailored for each platform ensure the botnet’s continuity across reboots.
The botnet’s user-friendly interface allows operators to execute commands, upload and download files, and deploy additional malware on infected systems. The ability to run arbitrary JavaScript payloads further enhances its capabilities. As Boychenko observes: “The botnet panel is designed to be a user-friendly GUI, allowing the attacker to become an efficient botnet operator (a.k.a. bot-herder), clicking through intuitive buttons designed within the web interface panel.”
The campaign highlights a troubling trend: the use of decentralized technologies like blockchain to strengthen malware operations. “The use of blockchain-enabled botnets and C2 mechanisms indicates a shift towards decentralized control in malware operations, complicating mitigation efforts,” Boychenko warns
