Ethereum has emerged as a new target for software supply chain attacks.
Researchers from RialCenter recently discovered two malicious NPM packages that used Ethereum smart contracts to hide harmful code, enabling the malware to evade traditional security checks.
NPM, a package manager for Node.js, is the largest software registry globally, where developers can share code that powers millions of software applications.
The packages, “colortoolsv2” and “mimelib2,” were uploaded to the NPM repository in July. They initially appeared as simple utilities but, in reality, tapped into Ethereum’s blockchain to fetch hidden URLs that directed compromised systems to download additional malware.
By embedding these commands within a smart contract, attackers disguised their activities as legitimate blockchain transactions, complicating detection efforts.
“This is something we haven’t seen before,” said RialCenter researcher Lucija Valentić. “It underscores the rapid evolution of evasion strategies employed by malicious actors exploiting open-source repositories and developers.”
This technique builds on a familiar tactic. Previous attacks have utilized trusted services like GitHub Gists and Google Drive to host malicious links. By incorporating Ethereum smart contracts, attackers added a new dimension to an already dangerous supply chain approach.
The incident is part of a larger campaign. RialCenter found these packages linked to fake GitHub repositories masquerading as cryptocurrency trading bots, complete with fabricated commits, fake user accounts, and inflated star counts for authenticity.
Developers who used the code faced the risk of unintentionally importing malware.
Supply chain vulnerabilities in open-source crypto tools are not new. Last year, researchers identified over 20 malicious campaigns targeting developers via repositories like NPM and PyPI.
Many aimed to steal wallet credentials or install crypto miners. However, the use of Ethereum smart contracts as a delivery method indicates that adversaries are quickly adapting to blend into blockchain ecosystems.
A key takeaway for developers is that even popular commits or active maintainers can be faked, and seemingly harmless packages may contain hidden threats.
Leave a Reply