Researchers Find Ethereum Smart Contracts Used to Deliver Malware

TL;DR

Cybersecurity researchers discovered that two malicious NPM packages, “colortoolsv2” and “mimelib2,” used Ethereum smart contracts to deliver hidden malware.
Attackers disguised their activity as legitimate blockchain traffic, bypassing traditional security scans.
The campaign involved fake GitHub repositories and social engineering tactics, highlighting the evolving supply chain threats in open-source crypto tooling and the growing need for developer vigilance.

Cybersecurity specialists at ReversingLabs revealed that hackers are leveraging Ethereum smart contracts to conceal malware, allowing malicious commands to evade detection. The attack uses two packages uploaded to the Node Package Manager in July, which fetch hidden URLs from Ethereum contracts to download second-stage malware. By embedding commands on the blockchain, attackers mask harmful activity as routine traffic, complicating security analysis.

“This method is unprecedented in its use of smart contracts for malware delivery,” said ReversingLabs researcher Lucija Valentić. “It demonstrates how threat actors are rapidly evolving strategies to exploit open-source repositories.”

The packages appeared as normal utilities but acted as downloaders, part of a sophisticated social engineering campaign on GitHub. Fake cryptocurrency bot repositories were created with fabricated commits, sham user accounts, and polished documentation to appear authentic, increasing the likelihood developers would unknowingly import malware.

The incident also signals a rising trend in attackers combining blockchain and open-source ecosystems. By leveraging decentralized networks, hackers can distribute commands globally while remaining anonymous, challenging traditional centralized monitoring tools. Security teams are now required to monitor unusual blockchain interactions, verify the integrity of every dependency, adopt advanced heuristic tools, implement continuous auditing protocols, educate developers on recognizing subtle signs of compromise, and maintain real-time threat intelligence to counter evolving attack vectors effectively.

Developers Face Rising Risks From Malicious Open-Source Packages

Ethereum has become a new frontier for software supply chain attacks. The incident also reflects broader trends, with 23 crypto-related malicious campaigns documented in 2024 alone, targeting repositories for Solana, Bitcoinlib, and other blockchain technologies.

Attackers historically have hosted malicious links on trusted services like GitHub Gists, Google Drive, or OneDrive. Using Ethereum smart contracts adds a blockchain-centered twist, blending malware into legitimate-looking decentralized activity.

A lot of developers are warned that package popularity and active maintainers can be faked. Even seemingly simple packages may carry hidden payloads, including malware aimed at stealing wallet credentials or installing crypto miners. Vigilance is crucial as adversaries continue to integrate blockchain tools into sophisticated cyberattack strategies, demonstrating the adaptability, creativity, technical expertise and innovative methods of threat actors in the crypto space.

Leave a Reply

Your email address will not be published. Required fields are marked *

Filed under: News - @ September 4, 2025 1:29 pm