A deep technical analysis of the NeoShadow npm supply-chain attack discovered on December 30th, 2025. Four typosquatting packages (viem-js, cyrpto, tailwin, supabase-js) were published by a single author and contained a sophisticated multi-stage Windows malware loader. The attack chain uses JavaScript for initial execution, queries an Ethereum smart contract via Etherscan to retrieve a C2 URL dynamically, downloads an RC4-encrypted payload disguised as analytics JS, then uses MSBuild with inline C# code (Living-off-the-Land) to inject shellcode into RuntimeBroker.exe via APC injection. The final payload is a lightweight RAT with ChaCha20/Curve25519 encrypted C2 communications, ETW patching to blind security tools, and a modular command set for deploying secondary payloads. A second version deployed January 2nd, 2026 added a native executable and improved obfuscation. Indicators of compromise including the C2 domain, IP, Ethereum address, and mutex name are provided.
Table of contents
Stage 0 - Malicious JS on npmStage 1 - What the MSBuild?Stage 2 - Shellcode analysisStage 3 - A rat in the buildInteresting featuresC2 DomainVersion 2 changesConclusion🚨 Indicators of compromiseSort: