Hackers Exploit Ethereum Smart Contracts to Evade Detection in Malicious npm Packages

A new cybersecurity threat has emerged as hackers leverage Ethereum smart contracts to conceal malicious code within open-source software, according to a recent report by software security firm ReversingLabs. This sophisticated campaign targets developers through the Node Package Manager (NPM) repository, a widely used platform for JavaScript libraries, by embedding harmful instructions in seemingly legitimate packages. The novel use of blockchain technology to bypass traditional security measures marks a significant evolution in software supply chain attacks, posing a serious risk to cryptocurrency developers and their projects.

The campaign involves two malicious npm packages named “colortoolsv2” and “mimelib2,” which were designed to fetch command-and-control (C2) URLs from Ethereum smart contracts. These URLs directed compromised systems to download second-stage malware, effectively disguising malicious activity as routine blockchain traffic. ReversingLabs researcher Lucija Valentić emphasized that this approach, which avoids hardcoding malicious links within the packages themselves, is a novel tactic that complicates detection and removal efforts. The packages were promptly removed from npm after being reported, but their brief presence highlights the growing ingenuity of cybercriminals exploiting open-source ecosystems.

A Broader Campaign Targeting Crypto Developers

The malicious npm packages are part of a larger, orchestrated effort that extends beyond NPM to include deceptive GitHub repositories. These repositories, often disguised as cryptocurrency trading bots like Solana “trading-bot-v2,” were crafted to appear trustworthy through fabricated commits, inflated star counts, and fake maintainer accounts. Such social engineering tactics are designed to trick developers into integrating these tainted packages into their projects, potentially compromising sensitive development assets and digital currencies. Valentić noted that the campaign’s reliance on blockchain-hosted C2 instructions represents a significant departure from previous attacks, which typically embedded malicious scripts directly within packages.

This is not the first instance of open-source repositories being targeted for crypto-related attacks. Earlier this year, we reported on how Bitcoin Cash, KeepKey hardware wallet, and other cryptocurrency npm packages were being targeted in an infostealer exploit. However, the use of Ethereum smart contracts to host malicious URLs introduces a new layer of complexity, as blockchain traffic is often perceived as legitimate and is harder to scrutinize. The campaign’s sophistication underscores the need for developers to exercise heightened caution when selecting third-party libraries, as even seemingly reputable packages may harbor hidden threats.

The broader campaign also reveals a pattern of exploiting developer trust through carefully curated GitHub repositories. By creating the illusion of active development and community engagement, threat actors increase the likelihood that their malicious packages will be adopted. For instance, repositories like the Solana “trading-bot-v2” featured thousands of superficial commits and coordinated stargazer activity to bolster their credibility. This tactic, combined with the use of blockchain, demonstrates how attackers are adapting to evade conventional security tools and exploit the decentralized nature of open-source platforms.

The discovery of this campaign serves as a reminder for crypto developers to thoroughly vet open-source libraries and their maintainers. Valentić stressed that developers must look beyond surface-level metrics, such as download counts or repository stars, to assess the legitimacy of packages. Implementing rigorous auditing protocols and monitoring for unusual blockchain interactions can help mitigate the risks posed by such attacks.