Canadian Cyber Centre Warns of EtherHiding Campaign: Malware Hidden in Blockchain, Targeting Developer Toolchains

Summary

The Canadian Centre for Cyber Security has issued a detailed alert regarding an active campaign exploiting blockchain technology to covertly host and distribute malware through a technique dubbed EtherHiding. The threat actor inserted malicious JavaScript code into a Tailwind CSS configuration file (tailwind.config.js) hidden among thousands of whitespace characters, bypassing typical code review processes. When developers interact with the compromised repository, the payload triggers within the Node.js runtime environment embedded in Visual Studio Code or Cursor AI, executing a sophisticated backdoor known as InvisibleFerret. The backdoor is designed for covert operations including file theft, directory exfiltration, and command execution via a command-and-control server. The Cyber Centre's analysis reveals a multi-stage attack chain where the malicious JavaScript retrieves cryptocurrency transaction hashes, triggering a cascade of downloaders and additional payloads that establish persistent unauthorized access to developer machines. The attack demonstrates a sophisticated understanding of developer workflows and modern AI development tools, representing a significant supply chain security risk.

• The technique uses obfuscation (whitespace padding) and legitimate development frameworks to evade detection during code reviews, highlighting supply chain vulnerabilities
• Defenders should implement strict code review processes, monitor for suspicious commits in private repositories, and audit dependencies for unauthorized modifications