Hackers Exploit Ethereum to Inject Malware in Popular Coding Libraries

Hackers are now exploiting vulnerabilities in widely-used NPM coding libraries to inject malware into Ethereum smart contracts, according to cybersecurity research by blockchain compliance firm Reversing Labs(RL). In a September 3 blog post detailing the discovery, researcher Lucija Valentić revealed that threat actors bypass security scans by exploiting new open-source malware present in the Node Package Manager (NPM) package repository, which contains extensive JavaScript packages and ￰1￱ most destructive malware discovered was “ colortoolsv2 ” and “ mimelib2 “, both published in July, which were found to abuse smart contracts to conceal malicious commands that install downloader malware on infected systems.) July 11, 2025 The exact package colortoolsv2 is being used to infiltrate Ethereum smart ￰2￱ to RL researchers, the malware is a basic NPM package containing just two ￰3￱ major file is a script named index.

js, which contains a hidden malicious ￰4￱ installed in a project, the script would run to fetch blockchain data and execute a harmful command by loading the URL for a command and control (C2) server that would then download second-stage malware to the requesting ￰5￱ “downloader” malware is a common method hackers use in NPM repositories to target victims, this specific malware is unusual as it uses Ethereum smart contracts to host the URLs where malicious commands are located for downloading the second-stage ￰6￱ gets even more fancy: the way Etherscan was tricked showing the wrong implementation contract is based on setting 2 different proxy slots in the same frontrunning ￰7￱ Etherscan uses a certain heuristic that incorporates different storage slots to retrieve the implementation… ￰0￱ ￰8￱ — sudo rm -rf –no-preserve-root / (@pcaversaccio) July 10, 2025 Notably, the cybersecurity researchers acknowledge that they haven’t encountered this approach previously.

Two-File Malware Hides a $2.5M Bridge Exploit Method The researchers uncovered a Solana-trading-bot infected by the malicious colortoolsv2 package called solana-trading-bot-v2, which appears to be a trustworthy GitHub project to the average observer.) protocols to amplify the ￰9￱ auditors advised that it is critical for developers to assess each library they are considering implementing before deciding to include it in their development cycle.