- Hackers now exploit Ethereum contracts to hide malware in npm packages, blending with normal blockchain traffic to evade detection.
- Fake crypto GitHub repos with inflated stars trick developers into downloading malicious code disguised as trusted open-source tools.
- Decentralized systems like Ethereum are being weaponized in supply chain attacks, making malware takedowns harder than ever before.
Hackers are now misusing Ethereum smart contracts as tools for cybercrime, creating concerns for developers. Security experts at ReversingLabs found that criminals hid malicious traffic inside what looked like normal blockchain activity.
In doing so, they circumvented conventional security measures by utilizing Ethereum’s decentralized infrastructure. They targeted npm libraries through smuggling malicious code into open-source packages that most developers depend on.
How Hackers Used Ethereum to Hide Malware
Researchers revealed that attackers used two npm packages, “colortoolsv2” and “mimelib2,” to pull command-and-control (C2) URLs directly from Ethereum contracts. The malware was harder to shut down because it didn’t use fixed web addresses. Instead, it pulled instructions through blockchain queries, making it blend in with normal Ethereum activity. This made it very tough for security teams to spot the infections.
Besides, the operation leaned on fake crypto-themed GitHub repositories, complete with inflated stars and automated commits. This strategy created a false sense of credibility, convincing developers to trust the libraries. Once downloaded, the packages deployed an obfuscated script, fetching a second-stage downloader hidden from immediate detection.
A Broader Software Supply Chain Threat
The malware family was identified and subsequently taken down, according to Lucija Valentic, a researcher at ReversingLabs. She did stress that the effort was a part of a broader trend. In 2024, there were at least 23 hostile crypto-related operations that targeted repositories linked to Solana, Bitcoinlib, and other blockchain tools.
Furthermore, hackers now target decentralized systems instead of putting malware on cloud services like Google Drive or OneDrive. Hence, Ethereum is the new frontier in supply chain attacks. Developers are urged to remain vigilant, as attackers can fake package popularity and even puppet maintainers.
Additionally, the campaign highlighted how quickly threat actors adapt. By embedding malicious payloads in blockchain activity, they complicate detection and strengthen evasion tactics. Consequently, even simple open-source packages can conceal malware aimed at stealing wallet credentials or installing crypto miners.
Ethereum’s misuse for malware delivery shows that blockchain is no longer just a target but also a tool for cybercriminals. Developers must treat even trusted repositories with caution.
