ReversingLabs reveals a new method for hiding malicious software links on the blockchain, signaling an evolving threat to developers and open-source repositories.
Cybersecurity researchers at ReversingLabs have uncovered a sophisticated technique hackers are using to conceal malware in Ethereum smart contracts. Two malicious Node Package Manager (NPM) packages, “colortoolsv2” and “mimelib2” published in July, were designed to fetch harmful URLs directly from the blockchain, rather than hosting them on conventional servers. According to ReversingLabs researcher Lucija Valentić, this approach allows attackers to bypass standard security scans, delivering malware in a way that appears legitimate and evades traditional detection methods.
⚠️🧵RL threat researchers detected a malicious #npm package abusing #blockchain for malicious command hosting: https://t.co/Hc0QjaH3So pic.twitter.com/uQ3xXAIEkZ
— ReversingLabs (@ReversingLabs) July 11, 2025
How the Malware Works
Unlike conventional malware that directly embeds malicious links, these NPM packages act as simple downloaders. When installed, they query Ethereum smart contracts to retrieve command and control server addresses. These addresses then point to second-stage malware, which carries out the payload, whether that’s stealing data, executing unauthorized commands, or downloading additional software.
This method makes detection particularly challenging because blockchain traffic is considered legitimate and is not easily flagged by conventional antivirus or repository security tools. Valentić explained:
“That’s something we haven’t seen previously, and it highlights the fast evolution of detection evasion strategies by malicious actors who are trolling open-source repositories and developers” .
A New Attack Vector
Malware targeting Ethereum smart contracts is not entirely new. Earlier this year, the North Korean-affiliated Lazarus Group used similar techniques. What sets these NPM packages apart is the direct use of Ethereum smart contracts to host the URLs for malicious commands, effectively combining blockchain technology with malware delivery.
This approach represents the attack vector mentioned in the CSO online report, emphasizing the need for developers and organizations to monitor dependencies and open-source packages carefully.
An Elaborate Crypto Deception Campaign
The malicious packages were part of a broader social engineering campaign that primarily operated through GitHub. Threat actors created fake cryptocurrency trading bot repositories designed to appear legitimate. These repositories included:
- Fabricated commit histories to simulate active development
- Fake user accounts watching the repositories
- Multiple maintainer accounts for realism
- Professional-looking documentation and project descriptions
Such tactics aim to increase trust among developers and encourage them to install or interact with the malicious packages.
Evolving Threats in Open-Source Repositories
Security researchers documented 23 crypto-related malicious campaigns on open-source repositories in 2024 alone. This latest attack demonstrates how attackers are combining blockchain technology with social engineering to bypass traditional detection systems.
Threats are not limited to Ethereum. In April, a fake GitHub repository posing as a Solana trading bot distributed malware designed to steal crypto wallet credentials. Hackers have also targeted open-source Python libraries such as Bitcoinlib, which is intended to simplify Bitcoin development.
Valentić concluded:
“These attacks highlight the rapid evolution of malicious strategies and the importance of vigilance for anyone relying on open-source software, particularly in the cryptocurrency space”.
Tanya Petrusenko
Disclaimer: All materials on this site are for informational purposes only. None of the material should be interpreted as investment advice. Please note that despite the nature of much of the material created and hosted on this website, HODL FM is not a financial reference resource, and the opinions of authors and other contributors are their own and should not be taken as financial advice. If you require advice. HODL FM strongly recommends contacting a qualified industry professional.
