According to Cointelegraph, threat actors have developed a sophisticated method to deliver malicious software through Ethereum smart contracts, circumventing traditional security scans. This evolution in cyberattacks has been identified by cybersecurity researchers at ReversingLabs, who discovered new open-source malware on the Node Package Manager (NPM) repository, a vast collection of JavaScript packages and libraries.
ReversingLabs researcher Lucija Valentić highlighted in a recent blog post that the malware packages, named “colortoolsv2” and “mimelib2,” utilize Ethereum smart contracts to conceal malicious commands. These packages, published in July, function as downloaders that retrieve command and control server addresses from smart contracts rather than directly hosting malicious links. This approach complicates detection efforts, as the blockchain traffic appears legitimate, allowing the malware to install downloader software on compromised systems.
The use of Ethereum smart contracts for hosting URLs where malicious commands are located represents a novel technique in malware deployment. Valentić noted that this method marks a significant shift in detection evasion strategies, as malicious actors increasingly exploit open-source repositories and developers. This tactic was previously employed by the North Korean-affiliated Lazarus Group earlier this year, but the current approach demonstrates a rapid evolution in attack vectors.
The malware packages are part of a broader deception campaign operating primarily through GitHub. Threat actors have created fake cryptocurrency trading bot repositories, presenting them as credible through fabricated commits, fake user accounts, multiple maintainer accounts, and professional-looking project descriptions and documentation. This elaborate social engineering strategy aims to bypass traditional detection methods by combining blockchain technology with deceptive practices.
In 2024, security researchers documented 23 crypto-related malicious campaigns on open-source repositories. However, this latest attack vector underscores the ongoing evolution of repository attacks. Beyond Ethereum, similar tactics have been employed on other platforms, such as a fake GitHub repository posing as a Solana trading bot, which distributed malware to steal crypto wallet credentials. Additionally, hackers have targeted “Bitcoinlib,” an open-source Python library designed to facilitate Bitcoin development, further illustrating the diverse and adaptive nature of these cyber threats.
