Ethereum Smart Contracts Exploited to Hide Malware in Popular NPM Packages
Ethereum has become a new tool for cybercriminals targeting the software supply chain. Researchers at ReversingLabs discovered two malicious NPM packages, colortoolsv2 and mimelib2, that used Ethereum smart contracts to conceal harmful code.
While the packages appeared to be simple developer utilities, they secretly tapped Ethereum’s blockchain to fetch hidden URLs, instructing compromised systems to download second-stage malware. Embedding these commands within smart contracts allowed attackers to disguise their activity as legitimate blockchain traffic, bypassing standard security checks.
NPM, the largest package registry for Node.js, hosts millions of code modules and remains a key target for attackers. The malicious packages were uploaded in July and initially seemed harmless, but the blockchain-based approach made them harder to detect.
“This is a novel tactic we haven’t observed before,” said Lucija Valentić, a researcher at ReversingLabs. “It shows how attackers are rapidly evolving their strategies, targeting open-source repositories and developers alike.”
The technique builds on older supply chain attacks that relied on trusted platforms like GitHub Gists, Google Drive, or OneDrive to host malware. By leveraging Ethereum smart contracts, attackers added a crypto-focused twist to a familiar threat.
Further investigation revealed the packages were linked to fake GitHub repositories posing as cryptocurrency trading bots, with fabricated commits, bogus accounts, and inflated star counts to appear legitimate. Developers who downloaded the code risked unknowingly importing malware.
Open-source supply chain attacks are not new. Last year, over 20 campaigns targeted developers via NPM and PyPI, aiming to steal crypto wallet credentials or deploy miners. The use of Ethereum smart contracts as a delivery mechanism highlights how quickly attackers adapt to blend into blockchain ecosystems.
Key Takeaways for Developers:
- Repository metrics and active maintainers can be falsified.
- Seemingly benign packages may hide malicious payloads.
- Vigilance is critical when integrating open-source crypto tools.
