Recommended

#BTCCOGWEEK: Celebrate the Classics of Meme Coins
Crypto Deposit Make instant crypto transfers to your futures account
USDT-M Perpetual Futures Trade futures contracts settled in USDT
VIP Fee Discounts Enjoy different fee discounts based on your VIP level
Coin-M Perpetual Futures Trade futures contracts settled in cryptocurrency
Fiat Deposit Buy your favourite coins in seconds
Affiliates Invite friends & get rewarded
Convert Covert your crypto instantly
Support Centre Find our FAQs here
Announcements Find all our official announcements
BTCC Academy Learn about blockchain and crypto
News The latest trends in the crypto market

Promotions

Referral
Campaigns
Assets
Crypto Deposit
Fiat Deposit
Convert
Transfer
Withdraw
My vouchers
Fund history
Dashboard
Account Security
Identity verification
API Management
Transaction Report
Log out
Register
BTCC / BTCC Square / coincentral /
Ethereum Smart Contracts Weaponized: Hackers Embed Malware in npm Packages

Ethereum Smart Contracts Weaponized: Hackers Embed Malware in npm Packages

Author:
coincentral
Published:
2025-09-04 17:10:21
16
3

Hackers Use Ethereum Smart Contracts to Hide Malware in npm Packages

Digital Shadows Lengthen as Blockchain Tech Becomes Latest Attack Vector

THE NEW INFRASTRUCTURE VULNERABILITY

Hackers now deploy Ethereum smart contracts to conceal malicious payloads within popular npm packages—turning decentralized tech into their latest camouflage. They bypass traditional security scans by hiding malware within contract code that appears legitimate. This isn't some theoretical threat—it's live, active, and exploiting the very transparency that makes blockchain valuable.

WHY DEVELOPERS ARE THE TARGET

Attackers bank on developers trusting open-source repositories. They inject poisoned packages that seem harmless until activated—then drain wallets, hijack systems, or exfiltrate data. The scheme leverages Ethereum's immutability: once deployed, malicious contracts can't be altered, only detected.

THE IRONIC TWIST

Here's the kicker—the tech designed to eliminate trust requirements now requires more trust than ever. Another day, another innovation twisted into a weapon while traditional finance still can't decide if crypto is a scam or salvation. Stay paranoid, stay patched.

TLDR

  • Hackers are using Ethereum smart contracts to hide malware in popular npm packages.
  • Malicious npm packages like “colortoolsv2” and “mimelib2” conceal C2 instructions through Ethereum smart contracts.
  • The attack method complicates detection and takedown efforts by fetching URLs from Ethereum contracts.
  • ReversingLabs researchers discovered a broader campaign involving fake GitHub repositories to lure developers.
  • The campaign highlights the growing sophistication of cybercriminals using blockchain technology for malicious purposes.

Cybercriminals are increasingly using ethereum smart contracts to conceal malware in popular code libraries, a recent report reveals. The attack targets developers relying on open-source tools, bypassing traditional detection methods. This new tactic involves hiding command-and-control (C2) instructions inside Ethereum smart contracts, making it harder to spot and remove malicious software.

Malicious Packages Embed Ethereum Smart Contracts

In July, researchers at ReversingLabs discovered two malicious npm packages: “colortoolsv2” and “mimelib2.” These packages used Ethereum smart contracts to fetch C2 URLs instead of hardcoding them in the code. The attack executed an obfuscated script that queried an Ethereum smart contract for the next-stage payload location.

ReversingLabs researcher Lucija Valentic explained that this approach complicates detection and takedown efforts. The use of Ethereum smart contracts to hide C2 instructions marks a new and evasive strategy for cybercriminals. “This is something we haven’t seen previously,” Valentic stated, highlighting how quickly attackers adapt their methods to avoid detection.

Campaign Expands Through Malicious Repositories

The campaign extended beyond the two npm packages. ReversingLabs researchers discovered a broader effort involving malicious npm and GitHub projects. These decoy repositories, such as “solana-trading-bot-v2,” displayed fake activity, including inflated stars and auto-generated commits, to deceive developers.

The attackers Leveraged these tactics to make their repositories appear legitimate. They aimed to lure developers into downloading dependencies linked to the malicious packages. The strategy shows how attackers are improving their methods to exploit trust in open-source tooling and cryptographic technology.

While this particular campaign was shut down, experts warn of ongoing threats. ReversingLabs’ investigation revealed a growing trend of attacks using Ethereum smart contracts and fake GitHub repositories. Valentic emphasized the need for developers to stay vigilant against these evolving threats.

These attacks underscore the increasing sophistication of cybercriminals using Ethereum smart contracts and blockchain to distribute malware. The incidents reveal that attackers are increasingly using smart contracts as part of their evolving toolkit. “These latest attacks show how quickly the landscape is changing,” Valentic added, pointing to a new wave of blockchain-based threats.

|Square

Get the BTCC app to start your crypto journey

Download on the App Store GEI IT ON Google Play

Get started today Scan to join our 100M+ users

Exchange for a better future

Products
Services
Guides
About Us
Terms & Agreement
Customer Service
Social Media

Risk warning: Digital asset trading is an emerging industry with bright prospects, but it also comes with huge risks as it is a new market. The risk is especially high in leveraged trading since leverage magnifies profits and amplifies risks at the same time. Please make sure you have a thorough understanding of the industry, the leveraged trading models, and the rules of trading before opening a position. Additionally, we strongly recommend that you identify your risk tolerance and only accept the risks you are willing to take. All trading involves risks, so you must be cautious when entering the market.

The world’s longest-running cryptocurrency exchange since 2011 © 2011 - 2025 BTCC.com. All rights reserved