Michaela
Cybersecurity firm ReversingLabs has uncovered a new method for spreading malicious software. Researchers found that two NPM packages used Ethereum smart contracts to hide harmful URLs and bypass traditional security scans.
Key points:
- Two NPM packages, colortoolsv2 and mimelib2, used Ethereum smart contracts to hide malicious URLs and deliver second-stage malware.
- The malware is part of a larger, sophisticated campaign targeting both NPM and GitHub, using social engineering and deceptive tactics to trick developers.
- This discovery emphasizes how cyber threats are evolving, combining emerging technologies with creative methods to evade detection.
ReversingLabs software threat researcher Lucija Valentić reported the discovery of two new pieces of open-source malware hosted on the Node Package Manager (NPM) repository. “The two npm packages abused smart contracts to conceal malicious commands that installed downloader malware on compromised systems. The packages are colortoolsv2, published on July 7, and mimelib2, a nearly identical package that was published in late July,” Valentić wrote.
Valentić explained that the two packages are linked to a broader, sophisticated campaign targeting both NPM and GitHub. The operation involves malicious actors using advanced social engineering and deceptive tactics to trick developers into integrating harmful code into their projects.
Furthermore, the packages were designed to bypass security scans by acting as simple downloaders rather than directly hosting malicious links. After installation, they used Ethereum smart contracts to fetch command and control server addresses from the blockchain, which then delivered second-stage malware. This approach made detection more difficult, as the blockchain traffic appeared normal and legitimate.
While malware targeting Ethereum smart contracts has been seen before, Valentić emphasized a key development: the use of smart contracts to host URLs containing malicious commands that deliver second-stage malware. She noted that this tactic spotlights how quickly threat actors are evolving their strategies to evade detection while exploiting open-source repositories and developers.
“Even though the npm package wasn’t very sophisticated, there was much more work put into making the repositories holding the malicious package look trustworthy,” Valentić wrote. “This suggests that the main infection vectors were GitHub projects, with malicious behavior displaced into npm package dependencies so it would be impossible to detect merely by reviewing source code present in GitHub repositories,” she added.
The discovery spotlights how quickly cyber threats are evolving, blending emerging technologies with creative tactics. As attackers continue to experiment with new methods, the landscape of software security faces increasingly complex and unconventional challenges.
Read More
- Ethereum Gaming Network Xai Sues Elon Musk’s xAI Over Trademark Clash
- Blockchain and Smart Contracts: Trust in a Trustless World
- Ethereum Developer Detained in Turkey — What It Could Mean for SHIB
Michaela has no crypto positions and does not hold any crypto assets. This article is provided for informational purposes only and should not be construed as financial advice. The Shib Magazine and The Shib Daily are the official media and publications of the Shiba Inu cryptocurrency project. Readers are encouraged to conduct their own research and consult with a qualified financial adviser before making any investment decisions.
