Ethereum smart contracts quietly push javascript malware targeting developers

The post Ethereum smart contracts quietly push javascript malware targeting developers appeared on BitcoinEthereumNews.com.

Hackers are using Ethereum smart contracts to conceal malware payloads inside seemingly benign npm packages, a tactic that turns the blockchain into a resilient command channel and complicates takedowns. ReversingLabs detailed two npm packages, colortoolsv2 and mimelib2, that read a contract on Ethereum to fetch a URL for a second-stage downloader rather than hardcoding infrastructure in the package itself, a choice that reduces static indicators and leaves fewer clues in source code reviews. The packages surfaced in July and were removed after disclosure. ReversingLabs traced their promotion to a network of GitHub repositories that posed as trading bots, including solana-trading-bot-v2, with fake stars, inflated commit histories, and sock-puppet maintainers, a social layer that steered developers toward the malicious dependency chain. The downloads were low, but the method matters. Per The Hacker News, colortoolsv2 saw seven downloads and mimelib2 one, which still fits opportunistic developer targeting. Snyk and OSV now list both packages as malicious, providing quick checks for teams auditing historical builds. History repeating itself The on-chain command channel echoes a broader campaign that researchers tracked in late 2024 across hundreds of npm typosquats. In that wave, packages executed install or preinstall scripts that queried an Ethereum contract, retrieved a base URL, and then downloaded OS-specific payloads named node-win.exe, node-linux, or node-macos. Checkmarx documented a core contract at 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b coupled with a wallet parameter 0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84, with observed infrastructure at 45.125.67.172:1337 and 193.233.201.21:3001, among others. Phylum’s deobfuscation shows the ethers.js call to getString(address) on the same contract and logs the rotation of C2 addresses over time, a behavior that turns contract state into a movable pointer for malware retrieval. Socket independently mapped the typosquat flood and published matching IOCs, including the same contract and wallet, confirming cross-source consistency. An old vulnerability continues to thrive ReversingLabs frames the 2025 packages as a…

Leave a Reply

Your email address will not be published. Required fields are marked *

Filed under: News - @ September 4, 2025 1:31 pm