Coin Insider

Hackers Use Ethereum Smart Contracts to Hide Malware in Open-Source Repositories

talik |

Key Takeaways:

Key Takeaways

  • New malware tactic: Hackers are using Ethereum smart contracts to hide malicious URLs and bypass security scans.

  • Discovery: ReversingLabs found two infected NPM packages (colortoolsv2 and mimelib2) published in July.

  • How it works: The packages acted as downloaders, pulling command-and-control server addresses from the blockchain to install second-stage malware.

  • Deception campaign: Attackers created fake GitHub repositories with fabricated commits, multiple maintainers, and polished documentation to appear trustworthy.

  • Novelty: While Ethereum has been abused before, this is the first observed case of smart contracts hosting malware delivery instructions.

  • Wider trend: At least 23 crypto-related malware campaigns have been documented in open-source repositories in 2024.

  • Beyond Ethereum: Similar attacks targeted Solana trading bots and the Python library Bitcoinlib, showing the threat spans multiple ecosystems.

Overview

Cybersecurity researchers have discovered a new method of distributing malware that leverages Ethereum smart contracts, marking an escalation in how attackers exploit open-source ecosystems and blockchain technology.

According to a report published this week by digital asset compliance firm ReversingLabs, two malicious Node Package Manager (NPM) libraries were found to contain hidden code designed to download additional malware from URLs stored on the Ethereum blockchain.

The finding underscores how threat actors combine traditional malware distribution techniques with blockchain-based infrastructure to bypass conventional security scans.

Discovery in the NPM Repository

NPM, one of the world’s largest open-source repositories for JavaScript code, has been a frequent target for malware campaigns due to its popularity among developers. ReversingLabs researchers identified two packages – colortoolsv2 and mimelib2 – that were uploaded in July and appeared to be legitimate tools at first glance.

In reality, the packages used an unusual mechanism for concealing malicious instructions. Instead of embedding harmful code or URLs directly into the package, the libraries contained routines that queried Ethereum smart contracts for command-and-control (C2) server addresses.

By outsourcing this step to the blockchain, attackers were able to avoid detection, since the packages themselves did not include the malicious payload or any suspicious external links.

“This is a novel and creative technique for loading malware on compromised devices – smart contracts for the Ethereum blockchain,” said ReversingLabs researcher Lucija Valentić in a blog post on Wednesday.

How the Attack Worked

Once downloaded by a developer, the compromised packages initiated a process to check Ethereum smart contracts for stored URLs. These addresses pointed to servers controlled by the attackers, where the second-stage malware was hosted.

The second-stage malware performed the actual payload execution, from installing downloader tools to facilitating remote control of the compromised system. Because the traffic involved blockchain queries, which typically appear legitimate to monitoring systems, the entire operation was more challenging to detect.

Valentić explained that the method differs from previous campaigns in its use of blockchain not simply as a target, but as a delivery mechanism

What is new and different is the use of Ethereum smart contracts to host the URLs where malicious commands are located, downloading the second-stage malware,” she noted.

Part of a Larger Deception Campaign

The discovery of these packages revealed they were only one piece of a broader social engineering scheme. Attackers created fake GitHub repositories that posed as cryptocurrency trading bots, complete with fabricated commits, multiple maintainer profiles, and professional project documentation.

By simulating legitimate development activity, the threat actors sought to build trust among developers who might install the compromised tools. In some cases, fake user accounts were set up specifically to follow or star repositories, further reinforcing the illusion of authenticity.

This elaborate approach highlights how attackers increasingly rely on social engineering and technical exploits to spread malicious software within the open-source community.

A Growing Attack Vector

While malicious actors have previously used Ethereum smart contracts in cyberattacks, the tactic has primarily been associated with groups such as North Korea’s Lazarus Group, which employed blockchain infrastructure for other malware delivery forms earlier this year.

The ReversingLabs discovery marks the first time researchers have observed smart contracts being used explicitly to conceal malware download instructions within an open-source package.

The method illustrates the rapid evolution of detection evasion strategies, Valentić said, emphasizing that malicious actors are increasingly exploiting the trust inherent in open-source ecosystems.

Broader Trends in Open-Source Malware

The incident is not isolated. In 2024 alone, cybersecurity researchers documented 23 malicious campaigns targeting crypto users via open-source repositories. Attackers have broadened their scope beyond Ethereum-related tools.

In April, a fake GitHub repository masquerading as a Solana trading bot was discovered distributing malware that captured wallet credentials. Other campaigns have targeted tools like Bitcoinlib, a widely used Python library designed to simplify Bitcoin development.

These cases highlight how open-source projects – critical components of the cryptocurrency ecosystem – have become lucrative entry points for cybercriminals.

Implications for Developers and Security Teams

The findings remind developers of the risks of downloading open-source packages without thorough verification. Even repositories that appear active and well-maintained may conceal malicious intent.

For security professionals, the case illustrates how attackers are experimenting with blockchain technology as a target and as part of their operational toolkit. By embedding command infrastructure in smart contracts, attackers gain a level of resilience and legitimacy that traditional web-based servers cannot easily provide.

Valentić concluded that the trend represents “a fast evolution of detection evasion strategies by malicious actors who are trolling open-source repositories and developers.

Conclusion

The use of Ethereum smart contracts to conceal malware instructions within NPM packages marks a significant development in the intersection of blockchain and cybersecurity. As attackers refine their methods, blending decentralized technologies with social engineering tactics, security teams face the challenge of keeping pace with increasingly sophisticated campaigns.

With more than 20 crypto-related malware incidents already recorded this year, experts warn that open-source repositories will continue to be prime targets – and that blockchain-enabled delivery methods could become more common in the future.

Related Articles

BTC miner Cipher invests millions in Antminer

One of the quickest growing Bitcoin mining firms Cipher has announced the nearly billion-dollar acquisition of Bitmain Antminer T21 miners.

2 years ago

Bitcoin miners sell roughly 100% of BTC mined in 2022

Public Bitcoin miners have sold almost all of the Bitcoin that has been mined this year, putting Bitcoin in a "persistent headwind"...

3 years ago

Binance proof of reserve “ignorance” or “misrepresentation”

According to financial experts and competitors, Binance's proof of reserve system is littered with red flags.

3 years ago

Does Bitcoin’s bear market have an end date?

According to Grayscale, this bear market could run for another 250 days before crypto summer starts again.

4 years ago
See All
© 2026 - Coin Insider