Hackers Exploit Ethereum Smart Contracts to Conceal Malware

Cybersecurity researchers at ReversingLabs have uncovered a new malware technique where attackers use $ETH Ethereum smart contracts to hide malicious commands and links, making detection more difficult.

According to the report, two malicious packages were identified on the Node Package Manager (NPM) repository: colortoolsv2 and mimelib2. Published in July, both packages acted as downloaders that retrieved addresses from Ethereum smart contracts instead of hosting malicious links directly. This method allowed attackers to bypass traditional security scans, as blockchain queries appeared legitimate.

> “What is new and different is the use of Ethereum smart contracts to host the URLs where malicious commands are located,” said ReversingLabs researcher Lucija Valentić. “That’s something we haven’t seen previously, and it highlights the fast evolution of detection evasion strategies.”

Part of a Larger Deception Campaign

The malware was linked to a broader social engineering campaign primarily conducted through GitHub. Threat actors created fake repositories for cryptocurrency trading bots, using fabricated commits, multiple fake maintainers, and professional-looking documentation to gain trust among developers.

This is not the first time blockchain has been misused for such purposes. Earlier this year, North Korea-affiliated groups reportedly used Ethereum smart contracts for similar attacks. In other cases, fake repositories have targeted Solana trading bots and even the Python library “Bitcoinlib” to deliver malware.

Ongoing Evolution of Attacks

ReversingLabs noted that in 2024 alone, 23 crypto-related malicious campaigns were identified on open-source repositories. The latest discovery demonstrates how attackers are increasingly combining blockchain technology with advanced social engineering to bypass traditional security tools and compromise developers.

#ETH #CyberSecurity #Malwareattack #OpenSourceFinance #BlockchainSecurity