ReversingLabs researchers uncovered two NPM packages that used Ethereum smart contracts to hide malicious URLs and bypass security scans.
Threat actors have found a new way to deliver malicious software, commands, and links inside Ethereum smart contracts to evade security scans as attacks using code repositories evolve.
Cybersecurity researchers at digital asset compliance firm ReversingLabs have found new pieces of open-source malware discovered on the Node Package Manager (NPM) package repository, a large collection of JavaScript packages and libraries.
The malware packages “employ a novel and creative technique for loading malware on compromised devices — smart contracts for the Ethereum blockchain,” ReversingLabs researcher Lucija Valentić said in a blog post on Wednesday.
The two packages, “colortoolsv2” and “mimelib2,” published in July, “abused smart contracts to conceal malicious commands that installed downloader malware on compromised systems,” explained Valentić.
To avoid security scans, the packages functioned as simple downloaders and instead of directly hosting malicious links, they retrieved command and control server addresses from the smart contracts.
When installed, the packages would query the blockchain to fetch URLs for downloading second-stage malware, which carries the payload or action, making detection more difficult since blockchain traffic appears legitimate.
Malware targeting Ethereum smart contracts is not new; it was used earlier this year by the North Korean-affiliated hacking collective the Lazarus Group.
“What is new and different is the use of Ethereum smart contracts to host the URLs where malicious commands are located, downloading the second-stage malware,” said Valentić, who added:
“That’s something we haven’t seen previously, and it highlights the fast evolution of detection evasion strategies by malicious actors who are trolling open source repositories and developers.”
The malware packages were part of a larger, elaborate social engineering and deception campaign primarily operating through GitHub.
Threat actors created fake cryptocurrency trading bot repositories designed to look highly trustworthy through fabricated commits, fake user accounts created specifically to watch repositories, multiple maintainer accounts to simulate active development, and professional-looking project descriptions and documentation.
Related: Crypto users warned as ads push malware-laden crypto apps
In 2024, security researchers documented 23 crypto-related malicious campaigns on open-source repositories, but this latest attack vector “shows that attacks on repositories are evolving,” combining blockchain technology with elaborate social engineering to bypass traditional detection methods, Valentić concluded.
These attacks are not only executed on Ethereum. In April, a fake GitHub repository posing as a Solana trading bot was used to distribute obscured malware that stole crypto wallet credentials. Hackers have also targeted “Bitcoinlib,” an open-source Python library designed to make Bitcoin development easier.
