Hackers Discover New Way to Hide Malware Inside Ethereum Smart Contracts
Security researchers are warning about a new attack technique in which hackers exploit smart contracts on Ethereum to conceal and distribute malware, making detection harder than ever. According to a report from cybersecurity firm ReversingLabs, two malicious NPM packages named colortoolsv2 and mimelib2, uploaded in July, used smart contracts to store malicious URLs rather than hardcoding them directly. When developers unknowingly install these packages, they query the blockchain to retrieve
Security researchers are warning about a new attack technique in which hackers exploit smart contracts on Ethereum to conceal and distribute malware, making detection harder than ever.
According to a report from cybersecurity firm ReversingLabs, two malicious NPM packages named colortoolsv2 and mimelib2, uploaded in July, used smart contracts to store malicious URLs rather than hardcoding them directly. When developers unknowingly install these packages, they query the blockchain to retrieve the command-and-control (C2) server address, then download second-stage malware. By piggybacking on legitimate blockchain traffic, the malware easily slips past security scanning systems.
Notably, this was not an isolated incident — it is part of a large-scale GitHub fraud campaign. The threat actors created fake crypto trading bot repositories with fabricated commits, multiple admin accounts to boost credibility, and polished documentation designed to deceive developers.
Similar campaigns had previously been documented on Solana and Bitcoin. However, using Ethereum smart contracts to hide malicious URLs is an entirely new technique, signaling that hackers are growing increasingly creative in combining blockchain infrastructure with social engineering tactics to bypass traditional defenses.