Hackers have found a new method to hide malicious software, commands, and links within Ethereum smart contracts to avoid detection by security scans, as attacks targeting code repositories become more advanced.
ReversingLabs cybersecurity researchers have discovered two fake JavaScript packages, named “colortoolsv2” and “mimelib2,” in the Node Package Manager (NPM).
These packages, added in July, trick security systems by hiding their malicious instructions inside Ethereum smart contracts. In a blog post published on Wednesday, ReversingLabs researcher Lucija Valentić revealed that these packages function as downloaders, extracting command and control server addresses from Ethereum blockchain smart contracts.
Once installed, the packages query the blockchain to fetch URLs for downloading second-stage malware, which delivers the malicious payload. This approach makes detection challenging, as blockchain traffic appears legitimate, masking the malicious activity.
Hackers are using Ethereum Smart Contracts in a new tactic
Hackers, including the North Korean-linked Lazarus Group, have used Ethereum smart contracts before to spread harmful software, or malware. However, ReversingLabs researcher Lucija Valentić has explained that this new tactic is different.
Now, hackers are hiding web addresses (URLs) inside Ethereum smart contracts. These URLs direct victims to download harmful software onto their devices. The attack is a new trick that hasn’t been seen before, and it’s harder for security systems to catch because it uses the blockchain in a sneaky way.
Valentić says the incident shows how quickly hackers are finding new ways to avoid detection while targeting developers and open-source code platforms. This malware is part of a larger scam on GitHub, where hackers create fraudulent projects for cryptocurrency trading bots.
To make these projects look real, they add fake updates, create fake user accounts, use multiple fake maintainers, and include professional-looking descriptions. The misleading information tricks developers into trusting and downloading the malicious software.
In 2024, security experts found 23 scams involving cryptocurrencies on open-source code platforms, where hackers hid malicious software. According to Valentić, this new type of attack reveals that the scams are becoming more sophisticated.
Further, in April, hackers created a fake GitHub project pretending to be a Solana trading bot, which secretly installed malware to steal cryptocurrency wallet information. They also targeted “Bitcoinlib,” a tool that helps developers work with Bitcoin, showing how hackers are attacking different platforms to steal from users.
Also Read: World Liberty Financial Blocks Hacking Attempts on Token Launch
