{"id":57123,"date":"2025-09-04T10:02:41","date_gmt":"2025-09-04T07:02:41","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=57123"},"modified":"2025-09-04T10:05:11","modified_gmt":"2025-09-04T07:05:11","slug":"hackers-conceal-malicious-links-in-smart-contracts","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/hackers-conceal-malicious-links-in-smart-contracts\/","title":{"rendered":"Hackers Conceal Malicious Links in Smart Contracts"},"content":{"rendered":"<p>Researchers at ReversingLabs <a href=\"https:\/\/www.reversinglabs.com\/blog\/ethereum-contracts-malicious-code\">identified<\/a> malicious packages in the <span data-descr=\"Node Package Manager \u2014 the standard package manager for JavaScript\" class=\"old_tooltip\">NPM<\/span> repository. They employ Ethereum smart contracts to hide commands and download malware.<\/p>\n<p>Two packages, colortoolsv2 and mimelib2, released in July, functioned as simple loaders. Instead of direct malicious links, they retrieved addresses of control servers from smart contracts.<\/p>\n<p>Upon installation, the packages accessed the blockchain to obtain a URL for downloading the second-stage malware. This complicates detection, as blockchain traffic appears legitimate.<\/p>\n<p>According to ReversingLabs researcher Lucia Valentic, the novelty lies in using smart contracts to host URLs. Such methods had not been seen before.<\/p>\n<p>The attack is part of a larger campaign using social engineering on GitHub. The perpetrators created fake repositories of trading bots. They simulated active development with fake commits and multiple accounts to gain trust.<\/p>\n<p>Valentic noted that this new attack vector demonstrates the evolution of hacking. Perpetrators combine blockchain and social engineering to bypass traditional detection methods.<\/p>\n<p>Such attacks are not limited to Ethereum. In April, a fake GitHub repository masquerading as a trading bot for Solana spread malware to steal wallet data. Hackers also targeted Bitcoinlib, a Python library for Bitcoin development.<\/p>\n<p>Back in August, CertiK founder and Columbia University professor Zhonghui Gu <a href=\"https:\/\/forklog.com\/en\/news\/certik-founder-describes-battle-with-hackers-as-endless\">stated<\/a> that the crypto industry is engaged in an &#8220;endless war&#8221; with hackers.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Researchers identified malicious packages in the NPM repository. They employ Ethereum smart contracts to hide commands and download malware.<\/p>\n","protected":false},"author":1,"featured_media":57124,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"Researchers found malicious packages in NPM using Ethereum smart contracts.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[44,54],"class_list":["post-57123","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybercrime","tag-smart-contracts"],"aioseo_notices":[],"amp_enabled":true,"views":"190","promo_type":"1","layout_type":"1","short_excerpt":"Researchers found malicious packages in NPM using Ethereum smart contracts.","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/57123","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=57123"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/57123\/revisions"}],"predecessor-version":[{"id":57125,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/57123\/revisions\/57125"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/57124"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=57123"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=57123"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=57123"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}