Ethereum News Today: Malware Hiding in Ethereum Smart Contracts Rears Its Head

Cybersecurity researchers have uncovered a new and sophisticated technique in which threat actors are leveraging EthereumETH-- smart contracts to conceal and deliver malicious code. This method has been identified in two npm packages, colortoolsv2 and mimelib2, which were uploaded to the npm registry in July 2025. Upon discovery, these packages were swiftly removed. The malicious code embedded in these packages exploits smart contracts to hide URLs that retrieve second-stage payloads from a command-and-control server. This approach complicates detection efforts, as the malicious infrastructure is not directly embedded in the package but rather resides within the blockchain itself [1].

The attack goes beyond the npm ecosystem and extends to a coordinated campaign involving GitHub repositories. These repositories, such as solana-trading-bot-v2, ethereum-mev-bot-v2, and arbitrage-bot, appear to be legitimate cryptocurrency trading bots. However, researchers from ReversingLabs found that the perceived legitimacy is largely fabricated. These repositories were populated with thousands of commits—many of which were artificially generated—and were promoted using fake GitHub accounts that starred and forked the repositories. These accounts were created in July 2025 and exhibited minimal activity outside of the campaign. Automated commit infrastructures were also identified, with most changes involving the deletion or addition of the LICENSE file, a clear attempt to inflate the repository’s credibility [2].

The malicious packages were introduced into these repositories as dependencies, with the colortoolsv2 package being replaced by mimelib2. This was done to evade detection and ensure continuity of the campaign. The researchers also identified multiple user accounts associated with the campaign, including pasttimerles, who was responsible for the majority of the fabricated commits. Another account, slunfuedrac, was found to be responsible for incorporating the malicious packages into the repository code [3].

The use of Ethereum smart contracts for malware delivery is a relatively new technique in the threat landscape. Unlike traditional malware downloaders that embed malicious URLs within the package code, these packages use smart contracts to store the URLs and commands. This method was previously observed in 2023 with malicious Python packages that used GitHub Gists to host C2 URLs. However, the shift to smart contracts represents a significant evolution in evasion tactics [4].

This campaign is part of a broader trend of supply chain attacks targeting cryptocurrency developers. According to the ReversingLabs 2025 Software Supply Chain Security report, there were 23 such campaigns in 2024, including the compromise of the PyPI package ultralytics that delivered a crypto coin miner. The use of open-source repositories as a vector for distributing malware underscores the need for developers to carefully evaluate the authenticity and integrity of third-party packages. This includes scrutinizing not just the package itself, but also its maintainers and the broader ecosystem in which it is hosted [5].

In response to these findings, ReversingLabs has recommended that developers adopt a more rigorous vetting process for open-source packages. This includes analyzing the history of a package, the credibility of its maintainers, and the overall activity within the associated repositories. The firm has also introduced tools such as Spectra Assure Community to assist with the assessment of open-source packages. Given the increasing sophistication of supply chain attacks, developers and organizations must remain vigilant and adapt their security strategies to address evolving threats [6].

Source: [1] Ethereum Contracts Used to Hide Malicious Code (https://www.reversinglabs.com/blog/ethereum-contracts-malicious-code) [2] Malicious npm Packages Exploit Ethereum Smart Contracts (https://thehackernews.com/2025/09/malicious-npm-packages-exploit-ethereum.html) [3] Malicious npm Packages Exploit Ethereum Smart Contracts (https://www.infosecurity-magazine.com/news/malicious-npm-packages-exploit/) [4] Malicious npm Packages Use Ethereum Blockchain for Malware Delivery (https://www.csoonline.com/article/4050956/malicious-npm-packages-use-ethereum-blockchain-for-malware-delivery.html) [5] Trump’s Crypto Project Under Attack (https://finance.yahoo.com/news/trump-crypto-project-wlfi-under-081337737.html) [6] BunniXYZ Ethereum Exchange Suffers $2.3MMMM-- Breach (https://www.mitrade.com/insights/news/live-news/article-3-1087725-20250902)