Hackers Use Ethereum Smart Contracts to Hide Malware in npm Packages

TLDR

• Hackers are using Ethereum smart contracts to hide malware in popular npm packages.
• Malicious npm packages like “colortoolsv2” and “mimelib2” conceal C2 instructions through Ethereum smart contracts.
• The attack method complicates detection and takedown efforts by fetching URLs from Ethereum contracts.
• ReversingLabs researchers discovered a broader campaign involving fake GitHub repositories to lure developers.
• The campaign highlights the growing sophistication of cybercriminals using blockchain technology for malicious purposes.

Cybercriminals are increasingly using Ethereum smart contracts to conceal malware in popular code libraries, a recent report reveals. The attack targets developers relying on open-source tools, bypassing traditional detection methods. This new tactic involves hiding command-and-control (C2) instructions inside Ethereum smart contracts, making it harder to spot and remove malicious software.

Malicious Packages Embed Ethereum Smart Contracts

In July, researchers at ReversingLabs discovered two malicious npm packages: “colortoolsv2” and “mimelib2.” These packages used Ethereum smart contracts to fetch C2 URLs instead of hardcoding them in the code. The attack executed an obfuscated script that queried an Ethereum smart contract for the next-stage payload location.

ReversingLabs researcher Lucija Valentic explained that this approach complicates detection and takedown efforts. The use of Ethereum smart contracts to hide C2 instructions marks a new and evasive strategy for cybercriminals. “This is something we haven’t seen previously,” Valentic stated, highlighting how quickly attackers adapt their methods to avoid detection.

Campaign Expands Through Malicious Repositories

The campaign extended beyond the two npm packages. ReversingLabs researchers discovered a broader effort involving malicious npm and GitHub projects. These decoy repositories, such as “solana-trading-bot-v2,” displayed fake activity, including inflated stars and auto-generated commits, to deceive developers.

The attackers leveraged these tactics to make their repositories appear legitimate. They aimed to lure developers into downloading dependencies linked to the malicious packages. The strategy shows how attackers are improving their methods to exploit trust in open-source tooling and cryptographic technology.

While this particular campaign was shut down, experts warn of ongoing threats. ReversingLabs’ investigation revealed a growing trend of attacks using Ethereum smart contracts and fake GitHub repositories. Valentic emphasized the need for developers to stay vigilant against these evolving threats.

These attacks underscore the increasing sophistication of cybercriminals using Ethereum smart contracts and blockchain to distribute malware. The incidents reveal that attackers are increasingly using smart contracts as part of their evolving toolkit. “These latest attacks show how quickly the landscape is changing,” Valentic added, pointing to a new wave of blockchain-based threats.

The post Hackers Use Ethereum Smart Contracts to Hide Malware in npm Packages appeared first on CoinCentral.