Share this article
Crypto Hackers are Now Using Ethereum Smart Contracts to Mask Malware Payloads
Simple-looking code tapped Ethereum’s blockchain to fetch hidden URLs that directed compromised systems to download second-stage malware.
Updated Sep 4, 2025, 2:07 p.m. Published Sep 4, 2025, 6:52 a.m.
What to know:
- Researchers discovered malicious NPM packages using Ethereum smart contracts to hide harmful code.
- The packages disguised their activity as legitimate blockchain traffic, making detection difficult.
- Developers are warned that even popular commits can be faked, posing supply chain risks.
Ethereum has become the latest front for software supply chain attacks.
Researchers at ReversingLabs earlier this week uncovered two malicious NPM packages that used Ethereum smart contracts to conceal harmful code, allowing the malware to bypass traditional security checks.
STORY CONTINUES BELOW
Don't miss another story.Subscribe to the Crypto Daybook Americas Newsletter today. See all newsletters
NPM is a package manager for the runtime environment Node.js and is considered the world’s largest software registry, where developers can access and share code that contributes to millions of software programs.
The packages, “colortoolsv2” and “mimelib2,” were uploaded to the widely used Node Package Manager repository in July. They appeared to be simple utilities at first glance, but in practice, they tapped Ethereum’s blockchain to fetch hidden URLs that directed compromised systems to download second-stage malware.
By embedding these commands within a smart contract, attackers disguised their activity as legitimate blockchain traffic, making detection more difficult.
“This is something we haven’t seen previously,” ReversingLabs researcher Lucija Valentić said in their report. “It highlights the fast evolution of detection evasion strategies by malicious actors who are trolling open source repositories and developers.”
The technique builds on an old playbook. Past attacks have used trusted services like GitHub Gists, Google Drive, or OneDrive to host malicious links. By leveraging Ethereum smart contracts instead, attackers added a crypto-flavored twist to an already dangerous supply chain tactic.
The incident is part of a broader campaign. ReversingLabs discovered the packages tied to fake GitHub repositories that posed as cryptocurrency trading bots. These repos were padded with fabricated commits, bogus user accounts, and inflated star counts to look legitimate.
Developers who pulled the code risked importing malware without being aware of it.
Supply chain risks in open-source crypto tooling are not new. Last year, researchers flagged more than 20 malicious campaigns targeting developers through repositories such as npm and PyPI.
Many were aimed at stealing wallet credentials or installing crypto miners. But the use of Ethereum smart contracts as a delivery mechanism shows adversaries are adapting quickly to blend into blockchain ecosystems.
A takeaway for developers is that popular commits or active maintainers can be faked, and even seemingly innocuous packages may carry hidden payloads.
More For You
What to know:
- As of October 2025, GoPlus has generated $4.7M in total revenue across its product lines. The GoPlus App is the primary revenue driver, contributing $2.5M (approx. 53%), followed by the SafeToken Protocol at $1.7M.
- GoPlus Intelligence's Token Security API averaged 717 million monthly calls year-to-date in 2025 , with a peak of nearly 1 billion calls in February 2025. Total blockchain-level requests, including transaction simulations, averaged an additional 350 million per month.
- Since its January 2025 launch , the $GPS token has registered over $5B in total spot volume and $10B in derivatives volume in 2025. Monthly spot volume peaked in March 2025 at over $1.1B , while derivatives volume peaked the same month at over $4B.
More For You
These Three Metrics Show Bitcoin Found Strong Support Near $80,000
Onchain data shows multiple cost basis metrics confirm heavy demand and investor conviction around the $80,000 price level.
What to know:
- Bitcoin rebounded from the $80,000 region after a sharp correction from its October all time high, with price holding above the average entry levels of key metrics.
- The convergence of the True Market Mean, U.S. ETF cost basis, and the 2024 yearly cost basis around the low $80,000 range highlights this zone as a major area of structural support.
Top Stories
