Hackers have found a new way to deliver malware by hiding malicious links inside Ethereum smart contracts, bypassing traditional security measures.
Key Takeaways
- Two NPM packages, colortoolsv2 and mimelib2, used Ethereum smart contracts to hide URLs for downloading second-stage malware.
- This method makes detection difficult by disguising malicious activity as legitimate blockchain traffic.
- The attack was part of a wider social engineering campaign using fake GitHub repositories to appear trustworthy.
- Researchers at ReversingLabs said this marks a new evolution in supply chain attacks targeting crypto developers.
What Happened?
A pair of malicious JavaScript packages found on the Node Package Manager (NPM) repository used Ethereum smart contracts to distribute malware. These packages accessed smart contracts to fetch URLs leading to additional payloads, effectively hiding malware download commands within blockchain transactions.
This technique bypassed conventional security tools, which typically do not flag blockchain queries as suspicious.
⚠️ New RL threat research: 2 malicious #npm packages abuse #Ethereum smart contracts to load #malware on compromised devices. https://t.co/wzDRKfm2yh
— ReversingLabs (@ReversingLabs) September 3, 2025
A Sophisticated Attack Vector
Cybersecurity firm ReversingLabs identified the two malicious packages, colortoolsv2 and mimelib2, in July 2025. Though they seemed like basic tools, the packages acted as simple loaders. Instead of embedding harmful code directly, they pulled command-and-control server addresses from Ethereum smart contracts.
Once installed, the malware queried the blockchain to get a URL that then led to the download of the second-stage payload, which executed the malicious activity. The use of Ethereum smart contracts obscures the origin of the malware and allows the malicious code to blend in with ordinary blockchain traffic.
Lucija Valentić, a researcher at ReversingLabs, explained, “This is something we haven’t seen previously. It highlights the fast evolution of detection evasion strategies by malicious actors who are trolling open source repositories and developers.”
More Than Just Malware
This operation was part of a larger deception campaign on GitHub. Hackers set up fake cryptocurrency trading bot repositories that looked authentic, complete with:
- Fabricated commits
- Multiple fake user accounts
- Professional documentation and visuals
- Artificially inflated stars and watchers
These repositories were designed to lure unsuspecting developers, who might unknowingly integrate malicious packages into their own projects. The attackers successfully combined social engineering with technical stealth, exploiting the trust placed in active-looking GitHub repositories.
Not Limited to Ethereum
While this attack used Ethereum, other blockchains have been exploited similarly. In April, a fake GitHub repo disguised as a Solana trading bot spread malware that stole crypto wallet credentials. Another attack targeted Bitcoinlib, a Python tool for Bitcoin development.
The threat landscape for open-source crypto development is growing more dangerous. In 2024 alone, over 20 crypto-focused malware campaigns were documented across platforms like NPM and PyPI.
Zhonghui Gu, founder of CertiK and a professor at Columbia University, recently called the cybersecurity situation in crypto an “endless war” against hackers.
CoinLaw’s Takeaway
Honestly, this attack feels like a wake-up call for everyone in the crypto and developer communities. I’ve seen how quickly trust can be abused in the open-source ecosystem. When even basic packages can be backdoors and smart contracts get twisted into malware tools, it’s no longer enough to just scan code for suspicious strings. We need to rethink trust models in blockchain and open-source tooling. In my experience, even seasoned devs can fall for well-crafted deception, especially when it’s dressed up with blockchain buzz. This is a reminder to verify the integrity of both code and its creators.
