Software supply-chain attacks are evolving in a disturbing way as cybercriminals use Ethereum smart contracts to hide malicious code within open-source libraries. Research presented by a security firm ReversingLabs shows that hackers now insert command-and-control instructions within blockchain contracts, complicating detection and closure by defenders. This approach signifies the increased complexity of malware distribution and blockchain becoming a tool of cybercrime.
The campaign primarily targeted Node Package Manager (npm), a platform that hosts millions of JavaScript packages. Two suspicious packages, “colortoolsv2” and “mimelib2,” emerged in July and served as carriers of the malicious code.
Instead of embedding links directly within the package, the malware executed obfuscated scripts that queried Ethereum contracts to retrieve the payload location. Consequently, this method complicated traditional detection systems that usually flag hard-coded malicious domains.
Once the script accessed the smart contract, it directed the infected package to download a secondary malware component. This design allowed attackers to maintain flexibility by changing payload locations on the blockchain, without altering the npm package itself.
Besides, the campaign used crypto-themed GitHub repositories filled with fake stars and generated commits to appear legitimate, luring unsuspecting developers to integrate the packages.
ReversingLabs researchers uncovered that the malicious npm packages were part of a broader campaign extending to GitHub projects. Fake repositories such as “solana-trading-bot-v2” attempted to establish credibility through automated commits and staged community activity. Behind the façade, attackers quietly rotated malicious dependencies under different names, spreading the infection across multiple projects.
Moreover, this attack followed earlier incidents flagged by security firms where npm and GitHub were exploited to push fraudulent trading bots and crypto utilities. Hence, the latest campaign marks a concerning evolution, showing that threat actors are not only abusing open-source trust but also integrating blockchain technology into their attack chains.
