Hackers Use Ethereum Smart Contracts to Hide Malware in npm Packages

Bucharest, Romania — Cybersecurity researchers have uncovered a new method in which hackers are using Ethereum smart contracts to deliver malware through the npm package registry.

According to a report from ReversingLabs, the attackers deployed malicious packages named colortoolsv2 and mimelib2 in July 2025. These packages exploited blockchain technology to hide commands that lead to malware downloads, complicating detection efforts.

The researchers noted that this attack specifically targeted developers in the cryptocurrency sector. They manipulated GitHub repositories and created fake user accounts to inflate the legitimacy of their malicious projects. These accounts generated thousands of commits to make the repositories appear active.

ReversingLabs explained that these npm packages did not employ traditional methods of disguising malicious activity. Instead, they stored command and control (C2) URLs within the Ethereum blockchain, allowing the malicious infrastructure to bypass standard security scans.

In examining the packages, researchers found that most of the commits were repetitive modifications to the licenses of fake trading bot projects, which were presented as legitimate cryptocurrency tools. However, further investigation revealed that these projects were entirely fabricated.

The evolving threat landscape raises concerns about supply chain attacks. ReversingLabs reported a total of 23 cryptocurrency-related supply chain attacks in 2024, reinforcing the need for developers to scrutinize third-party packages more closely.

Researchers recommend that developers not only assess the content of the packages they use but also examine the history and credibility of the maintainers and the activity within associated repositories.

This tactic represents a significant shift in how malware is delivered, highlighting the necessity for vigilant security practices in integrating open-source software into development workflows.