All news with #ethereum tag

Tsundere Botnet Expands Using Game Lures and Node.js

🛡️ Kaspersky researcher Lisandro Ubiedo details an expanding Windows-focused botnet named Tsundere that retrieves and executes arbitrary JavaScript from remote command-and-control servers. The threat, active since mid‑2025, has been distributed via fake MSI installers and PowerShell scripts that deploy Node.js, install dependencies (ws, ethers, and pm2) and establish persistence. Operators fetch WebSocket C2 addresses from an Ethereum smart contract to rotate infrastructure, while a control panel enables artifact building, bot management, proxying, and an on-platform marketplace.

Fake Chrome Extension 'Safery' Exfiltrates Ethereum Seeds

🔒 A malicious Chrome extension posing as Safery: Ethereum Wallet was found to exfiltrate Ethereum wallet seed phrases by encoding mnemonics into synthetic Sui addresses. Socket security researcher Kirill Boychenko and Koi Security report the extension broadcasts micro-transactions (0.000001 SUI) from an attacker-controlled wallet to smuggle seed phrases on-chain without a traditional C2 server. Uploaded on September 29, 2025 and updated November 12, it remained available at the time of reporting. Users should stick to trusted wallet extensions and defenders should flag unexpected RPC calls and on-chain writes during wallet import or creation.

Balancer DeFi Protocol Loses Over $120M in Cyber Heist

🔐 Balancer, an Ethereum automated market maker, has been hit by a sophisticated exploit of its V2 Composable Stable Pools, with estimated losses exceeding $120 million. The team says pools that could be paused have been placed into recovery mode while it works with leading security researchers to investigate. Early analysis suggests a 'rounding down' precision loss in the Balancer Vault calculations was exploited and amplified via the batchSwap function. Balancer confirmed V3 pools were not affected and warned users about related phishing scams.

Fake Solidity VSCode Extension on Open VSX Backdoors

🛡️ A remote-access trojan named SleepyDuck, disguised as a Solidity extension on Open VSX, uses an Ethereum smart contract to deliver command-and-control instructions. The malicious package, downloaded over 53,000 times, activates on editor startup, when a Solidity file is opened, or when the compile command is run. On activation it collects system identifiers, creates a lock file for persistence, and polls an on-chain contract to update or replace its C2 endpoint. Open VSX has flagged the package and implemented security controls; developers should rely only on reputable publishers and official repositories.

Malicious VSX Extension 'SleepyDuck' Uses Ethereum

🦆 Researchers at Secure Annex warned of a malicious Open VSX extension, juan-bianco.solidity-vlang, that delivers a remote access trojan dubbed SleepyDuck. Originally published as a benign library on October 31, 2025, it was updated to a malicious release after reaching about 14,000 downloads. The extension triggers on opening a code editor window or selecting a .sol file, harvesting host details and polling an Ethereum-based contract to obtain and update its command server. It also contains fallback logic using multiple Ethereum RPC providers to recover C2 information if the domain is taken down; users should only install extensions from trusted publishers and follow vendor guidance.

North Korean Actors Abuse Blockchains for Malware Delivery

🛡️ Google Threat Intelligence Group (GTIG) reports that North Korean-linked UNC5342 is using a method called EtherHiding to deliver malware and facilitate cryptocurrency theft by embedding encrypted payloads in smart contracts on Ethereum and BNB Smart Chain. The technique turns immutable contracts into resilient, hard-to-takedown command-and-control infrastructure. Initial lures include fake recruiter messages, poisoned npm packages and malicious GitHub repositories; a JavaScript downloader named JADESNOW fetches and decrypts subsequent backdoors such as INVISIBLEFERRET.

Malicious npm Packages Use Ethereum to Deliver Malware

⚠️ ReversingLabs researchers uncovered a supply chain campaign that used Ethereum smart contracts to conceal URLs for malware delivered via rogue GitHub repositories and npm packages. The packages colortoolsv2 and mimelib2 were intentionally minimal and designed to be pulled as dependencies from fraudulent repositories posing as cryptocurrency trading bots. Attackers inflated commit histories with sockpuppet accounts and automated pushes to appear legitimate, then used on-chain storage to hide secondary payload locations and evade URL-scanning defenses.

Malicious npm Packages Use Ethereum Smart Contracts

🔒 Cybersecurity researchers discovered two malicious npm packages that use Ethereum smart contracts to hide commands and deliver downloader malware to compromised systems. The packages — colortoolsv2 (7 downloads) and mimelib2 (1 download) — were uploaded in July 2025 and removed from the registry. The campaign leveraged a network of GitHub repositories posing as crypto trading tools and is linked to a distribution-as-service operation called Stargazers Ghost Network. Developers are urged to scrutinize packages and maintainers beyond surface metrics before adopting libraries.