4-9-2025 – Cybersecurity researchers at ReversingLabs have uncovered a novel malware delivery method using Ethereum smart contracts to conceal malicious commands, bypassing traditional security scans. The discovery, detailed in a Wednesday blog post by researcher Lucija Valentić, involves two malicious packages, “colortoolsv2” and “mimelib2,” published on the Node Package Manager (NPM) repository in July.
These packages act as downloaders, retrieving command and control server URLs from Ethereum smart contracts to fetch second-stage malware. This technique masks malicious activity as legitimate blockchain traffic, making detection challenging. The approach marks an evolution from earlier attacks, including those by the North Korean-affiliated Lazarus Group, which also targeted Ethereum smart contracts but not for hosting malicious URLs. The malware is part of a sophisticated social engineering campaign on GitHub, featuring fake cryptocurrency trading bot repositories with fabricated commits, sham user accounts, and polished documentation to appear credible.
Valentić noted that such tactics reflect the rapid evolution of threat actors exploiting open-source repositories. In 2024 alone, researchers documented 23 crypto-related malicious campaigns, with similar attacks targeting Solana and Bitcoinlib repositories.
