Ethereum Smart Contracts Used to Conceal Malware in NPM Packages
Cybercriminals are exploiting Ethereum smart contracts to hide malware in popular software packages. Researchers at ReversingLabs identified two malicious NPM modules, colortoolsv2 and mimelib2, which used Ethereum to fetch hidden URLs, directing systems to download second-stage malware.
The packages, uploaded in July, appeared as simple developer utilities but embedded blockchain commands that masked malicious activity as legitimate Ethereum traffic. This technique allowed the malware to bypass standard security checks, making detection difficult.
“This is a novel tactic we haven’t seen before,” said Lucija Valentić, a ReversingLabs researcher. “It demonstrates how attackers are evolving quickly, targeting open-source repositories and developers.”
The malicious packages were linked to fake GitHub repositories posing as cryptocurrency trading bots, padded with fabricated commits and bogus accounts to appear legitimate.
Open-source supply chain attacks are not new—over 20 campaigns were flagged last year targeting NPM and PyPI, often to steal crypto wallets or install miners. Using Ethereum smart contracts as a delivery method shows attackers are adapting rapidly within blockchain ecosystems.
Key Takeaways for Developers:
- Even popular or seemingly legitimate packages can carry hidden malware.
- Repository metrics and commits can be faked.
- Vigilance is crucial when integrating open-source crypto tools.
