Cybersecurity researchers have discovered a new method for hiding malware through Ethereum smart contracts, significantly complicating its detection by standard protection tools.
This is reported by Finway
A New Level of Cyberattacks via the Ethereum Blockchain
Experts from ReversingLabs reported the discovery of two malicious NPM packages that used Ethereum smart contracts for covertly transmitting commands and links. According to their observations, hackers introduced infected tools into open repositories, exploiting blockchain features to evade detection by antivirus systems.
Users who installed the packages colortoolsv2 and mimelib2, which appeared in July 2025 in the largest JavaScript library repository NPM, were at risk. A notable aspect of the attack was that the malicious code did not contain open links to command servers but obtained them directly from Ethereum smart contracts. This allowed the malware traffic to be disguised as legitimate, complicating its identification.
After installation, the packages connected to the blockchain, where they read server addresses and downloaded the second phase of the malware. Thus, ordinary smart contracts effectively became tools for concealing URLs, helping to bypass automated security checks.
“ReversingLabs notes that the use of blockchain in attacks is not new — similar techniques were previously employed by the hacker group Lazarus. However, the difference in the current approach is that Ethereum contracts were not used for file distribution but for hosting guiding links, which researchers called an unprecedented development in evasion methods.”
Social Engineering and Attack Distribution via Repositories
The malicious packages became part of a large-scale social engineering campaign. The attackers created fake repositories on GitHub, posing as trading bots for crypto assets. To enhance credibility, they used fake commits, multiple observer accounts, and professionally designed documentation that imitated the activity of real developers.
ReversingLabs specialists emphasize that attacks on open repositories are becoming increasingly widespread. In 2024, at least 23 similar campaigns related to digital assets were recorded. Meanwhile, the attackers are not limiting themselves to the Ethereum ecosystem.
In April 2025, a fake bot for Solana was circulating online, which stole users’ crypto wallets, while earlier attacks targeted a Python library called Bitcoinlib, which works with Bitcoin.
Experts believe that the combination of blockchain technologies with social engineering indicates a rise in the creativity of malicious actors. New methods allow them to bypass traditional protective measures and pose a serious threat to developers and users of open-source software.
It is worth noting that in August 2025, the industry’s losses from hacker attacks exceeded $163 million.