Recent research from ReversingLabs has unveiled a sophisticated method employed by threat actors to deliver malware using Ethereum smart contracts. This innovative approach aims to bypass security scans and highlights an alarming evolution in cyber attack strategies targeting code repositories.
According to ReversingLabs, two malicious packages found on the Node Package Manager (NPM), designated as “colortoolsv2” and “mimelib2,” have been utilizing smart contracts on the Ethereum blockchain to conceal malevolent commands. Released in July, these packages function as downloaders that initially appear harmless. Instead of hosting malicious links directly, they cleverly retrieve command and control server addresses from smart contracts when installed on compromised systems.
Lucija Valentić, a ReversingLabs researcher, noted in a recent blog post that when these packages are operational, they query the blockchain to obtain URLs leading to the download of secondary malware. This technique complicates detection efforts because the blockchain transactions appear legitimate, complicating efforts to identify and nullify threats.
While malware targeting Ethereum smart contracts isn’t entirely new—earlier this year, the Lazarus Group, linked to North Korean hacking activities, employed similar tactics—the strategic use of smart contracts to host URLs for downloading malware marks a notable shift. Valentić emphasized that this novel approach underscores the rapid evolution of evasion tactics utilized by malicious actors, particularly in the context of open-source repositories.
The research reveals that these malware packages are part of a broader deception campaign primarily orchestrated through GitHub. Cybercriminals have developed fake cryptocurrency trading bot repositories designed to instill confidence among potential victims. This intricate operation involves fabricated commits, the creation of misleading user accounts to monitor repositories, multiple maintainer accounts designed to project active development, and professional-quality project documentation.
The investigation into these threats comes amid an increasing number of malicious campaigns targeting cryptocurrency users. In 2024 alone, researchers have identified 23 crypto-related malicious efforts linked to open-source repositories. The latest developments reveal the ability of attackers to blend blockchain technology with intricate social engineering, enhancing their chances of evading traditional detection methods.
This evolving threat landscape extends beyond Ethereum. For example, earlier in April, a deceptive repository masquerading as a Solana trading bot was discovered to distribute malware capable of stealing credentials from crypto wallets. Additionally, attacks have also been reported targeting “Bitcoinlib,” an open-source Python library aimed at simplifying Bitcoin development.
As cyber threats continue to advance and exploit newfound vulnerabilities, experts urge users to remain vigilant and adopt robust cybersecurity practices when engaging with open-source repositories and cryptocurrency technologies.
