BREAKING: Ethereum Code Extension Compromised by Malicious Pull Request—Security Alert
Ethereum's codebase dodges a bullet—but the shot came from inside the house.
Backdoor in Broad Daylight
A researcher just uncovered a malicious pull request slipped into a critical Ethereum extension. No fancy zero-days here—just old-fashioned human oversight letting danger creep into the commit history.
Why This Stings
Open source's strength is its weakness: anyone can contribute, including bad actors banking on maintainers' trust. This time, they almost got away with it—until some paranoid dev actually read the diffs.
Crypto's Irony
Blockchains preach 'don't trust, verify,' while their own tooling gets compromised by... *checks notes*... not verifying pull requests. Maybe next time save some of that audit budget for the actual codebase.
Stay sharp—the next 'update' might be your wallet's funeral.
“Too much code and not enough eyes on it.”
According to Ethereum developer and NUMBER GROUP co-founder Zak Cole, many developers install open source packages without checking them properly.
“It’s way too easy for someone to slip in something malicious,” he told Decrypt. “Could be an npm package, a browser extension, whatever.”
Recent high-profile examples of this include the Ledger Connect Kit exploit from December 2023, as well as the discovery last December of malware in Solana’s web3.js open source library.
“There’s too much code and not enough eyes on it,” adds Cole. “Most people just assume stuff is SAFE because it’s popular or been around a while, but that doesn’t mean anything.”
Cole affirms that, while this kind of thing is not particularly new, “the addressable surface of attack is spreading” because more and more developers are using open source tools.
“Also, keep in mind that there are entire warehouses full of DPRK operatives whose full time job is to execute these exploits,” he says.
While Cole suggests that there is probably more malicious code lurking around than many devs probably realise, Kirhmajer told Decrypt that, in his estimation, “successful attempts are very rare.”
This leads to the question of what developers can do to reduce their chances of using compromised code, with ReversingLabs recommending that they verify the identity and history of contributors before downloading anything.
The firm also suggested that devs review files such as package.json in order to evaluate new dependencies, which is something that Zak Cole also advocates.
“What helps is locking down your dependencies so you’re not pulling in random new stuff every time you build,” he said.
Cole also recommended using tools that scan for weird behavior or sketchy maintainers, while also looking out for any packages that might suddenly change hands or update out of the blue.
“Also don’t run signing tools or wallets on the same machine you use to build stuff,” he concluded. “Just assume nothing is safe unless you’ve checked it or sandboxed it.”
