Hackers Conceal Malicious Links in Smart Contracts

Researchers found malicious packages in NPM using Ethereum smart contracts.

Researchers at ReversingLabs identified malicious packages in the NPM repository. They employ Ethereum smart contracts to hide commands and download malware.

Two packages, colortoolsv2 and mimelib2, released in July, functioned as simple loaders. Instead of direct malicious links, they retrieved addresses of control servers from smart contracts.

Upon installation, the packages accessed the blockchain to obtain a URL for downloading the second-stage malware. This complicates detection, as blockchain traffic appears legitimate.

According to ReversingLabs researcher Lucia Valentic, the novelty lies in using smart contracts to host URLs. Such methods had not been seen before.

The attack is part of a larger campaign using social engineering on GitHub. The perpetrators created fake repositories of trading bots. They simulated active development with fake commits and multiple accounts to gain trust.

Valentic noted that this new attack vector demonstrates the evolution of hacking. Perpetrators combine blockchain and social engineering to bypass traditional detection methods.

Such attacks are not limited to Ethereum. In April, a fake GitHub repository masquerading as a trading bot for Solana spread malware to steal wallet data. Hackers also targeted Bitcoinlib, a Python library for Bitcoin development.

Back in August, CertiK founder and Columbia University professor Zhonghui Gu stated that the crypto industry is engaged in an “endless war” with hackers.