Hackers exploit Ethereum contracts to hide malware in npm packages

• Malware uses Ethereum contracts for hidden commands
• Malicious npm packages exploit open source libraries
• Fake campaign includes cryptocurrency trading bots

Um report A recent report from security firm ReversingLabs revealed that hackers are using Ethereum smart contracts as part of a new technique to hide malware in npm packages. This approach was identified in two packages published in July, called "colortoolsv2" and "mimelib2," which extracted command and control instructions directly from on-chain contracts.

According to researcher Lucija Valentic, the packets executed obfuscated scripts that queried Ethereum contracts to locate the payload for the next stage of the infection. This method replaces the traditional practice of inserting links directly into the code, making it more difficult for library maintainers to detect and remove the malware. "This is something we've never seen before," Valentic said, highlighting the sophistication of the technique and the speed with which threat actors adapt their strategies.

In addition to using smart contracts, the attackers created fake GitHub repositories with cryptocurrency themes, such as trading bots, that displayed artificially inflated activity. Fake stars, automated commits, and fictitious maintainer profiles were used to trick developers into trusting the packages and including them in their projects.

Although the identified packages have already been removed after a report, ReversingLabs warned that the incident is part of a larger campaign aimed at compromising the npm and GitHub ecosystems. Among the fake repositories was "solana-trading-bot-v2," which featured thousands of shallow commits to gain credibility while inserting malicious dependencies.

Valentic explained that the investigation revealed evidence of a broader, coordinated effort aimed at infiltrating malicious code into libraries widely used by developers. "These recent attacks by threat actors, including the creation of sophisticated attacks using blockchain and GitHub, show that repository attacks are evolving," he emphasized.

The company had also identified previous campaigns that abused developers' trust in open-source packages. This latest campaign, however, demonstrates how blockchain technology is being creatively incorporated into malware schemes, increasing the complexity of security in the cryptocurrency-related application and project development ecosystem.