Michaela
Cybersecurity firm ReversingLabs has uncovered a new method for spreading malicious software. Researchers found that two NPM packages used Ethereum smart contracts to hide harmful URLs and bypass trаditional security scans.
Key points:
- Two NPM packages, colortoolsv2 and mimelib2, used Ethereum smart contracts to hide malicious URLs and deliver second-stage malware.
- The malware is part of a larger, sophisticated campaign targeting both NPM and GitHub, using social engineering and deceptive tactics to trick devеlopers.
- This discovery emphasizes how cyber threats are evolving, combining emerging technologies with creative methods to evade detection.
ReversingLabs software threat researcher Lucija Valentić reported the discovery of two new pieces of open-source malware hosted on the Node Package Manager (NPM) repository. “The two npm packages abused smart contracts to conceal malicious commands that installed downloader malware on compromised systems. The packages are colortoolsv2, published on July 7, and mimelib2, a nearly identical package that was published in late July,” Valentić wrote.
Valentić explained that the two packages are linked to a broader, sophisticated campaign targeting both NPM and GitHub. The operation involves malicious actors using advanced social engineering and deceptive tactics to trick developers into integrating harmful code into their projects.
Related: What Now Shibarium? Buterin Rips Up L2s, Calls For a ‘New Path’ Beyond Lazy Chains
Furthermore, the packages were designed to bypass security scans by acting as simple downloaders rather than directly hosting malicious links. After installation, they used Ethereum smart contracts to fetch command and control server addresses from the blockchain, which then delivered second-stage malware. This approach made detection more difficult, as the blockchain traffic appeared normal and legitimate.
While malware targeting Ethereum smart contracts has been seen before, Valentić emphasized a key development: the use of smart contracts to host URLs containing malicious commands that deliver second-stage malware. She noted that this tactic spotlights how quickly threat actors are evolving their strategies to evade detection while exploiting open-source repositories and developers.
Related: Crypto Titans Bunker Down Now: Vitalik’s Austerity Vow, Binance $1B Bitcoin Shield
“Even though the npm package wasn’t very sophisticated, there was much more work put into making the repositories holding the malicious package look trustworthy,” Valentić wrote. “This suggests that the main infection vectors were GitHub projects, with malicious behavior displaced into npm package dependencies so it would be impossible to detect merely by reviewing source code present in GitHub repositories,” she added.
The discovery spotlights how quickly cyber threats are evolving, blending emerging technologies with creative tаctics. As attackers continue to experiment with new methods, the landscape of software security faces increasingly complex and unconventional challenges.
Read More
- Ethereum Gaming Network Xai Sues Elon Musk’s xAI Over Trademark Clash
- Blockchain and Smart Contracts: Trust in a Trustless World
- Ethereum Developer Detained in Turkey — What It Could Mean for SHIB
MICHAELA
Michaela is a news writer focused on cryptocurrency and blockchain topics. She prioritizes rigorous research and accuracy to uncover interesting angles and ensure engaging reporting. A lifelong book lover, she applies her passion for reading to deeply explore the constantly evolving crypto world.
