Bad actors have started using Ethereum smart contracts to deploy malicious software and code, and are therefore able to bypass traditional security scans using this novel technique.
Summary
- The npm packages use Ethereum smart contracts to hide malicious payloads.
- Researchers believe it is part of a larger campaign that primarily operates through GitHub.
Researchers at ReversingLabs have flagged a new open-source malware that has been deployed across the Node Package Manager (NPM) repository, where it uses obfuscated scripts and smart contracts to fetch command-and-control server URLs that deliver malicious payloads onto compromised systems.
The NPM package repository is a widely used platform for distributing JavaScript libraries and tools. Over the past few years, it has increasingly become a target for software supply chain attacks as hackers are able to trick developers into integrating malicious dependencies into their projects via this method.
According to ReversingLabs, a new strain of open-source malware was found hidden in two npm packages named colortoolsv2 and mimelib2. The packages were found to be using Ethereum smart contracts to remotely load malicious commands and install downloader malware on infected systems.
Both the packages first surfaced in July and function as simple downloaders at first glance. However, instead of directly hosting malicious links, those packages would query the blockchain to fetch URLs when installed.
Subsequently, the retrieved URLs would connect to attacker-controlled command-and-control servers, which then delivered a second-stage payload. Typically, these malicious payloads are designed to exfiltrate sensitive data, install remote access tools, or serve as entry points for a larger attack.
Researchers at ReversingLabs claimed the packages were published as part of a broader campaign targeting open-source ecosystems like npm and GitHub, where attackers relied on social engineering and deceptive project setups to target developers into integrating the malicious code into real-world applications.
Threat actors have long employed infrastructure-level tactics that are harder to detect. A separate report from ReversingLabs published earlier this year found a trojanized npm package that scanned systems for installed wallets like Atomic and Exodus and silently redirected transactions to attacker-controlled addresses.
Meanwhile, the infamous North Korean hacking group Lazarus was observed deploying its own malicious npm packages earlier this year.
Another incident flagged by security firm Slowmist in 2024 revealed a scam using a malicious Ethereum remote procedure call (RPC) function to deceive users of the imToken wallet.
However, unlike the previous attack vectors, the new campaign discovered by ReversingLabs separates itself by using “ethereum smart contracts to host the URLs where malicious commands are located,” the report noted.
ReversingLabs urged developers to exercise caution when interacting with npm libraries and third-party packages.
“It is critical for developers to assess each library […] and that means pulling back the covers on both open source packages and their maintainers: looking beyond raw numbers of maintainers, commits, and downloads to assess whether a given package – and the developers behind it – are what they present themselves as.”
