Hackers Using Ethereum Smart Contracts to Deliver Malware: Report

Software security firm ReversingLabs has identified two open-source code packages that use Ethereum smart contracts to download malware. It forms part of a “sophisticated campaign” of malicious actors attempting to hack users via poisoned blockchain-related public code libraries—a vector of attack Binance has previously linked to North Korean hackers.

The two Node Package Manager (NPM) libraries, or packages, called colortoolsv2 and mimelib2, were effectively identical in that they contained two files, one of which would run a script that downloads the second half of the malware attack via an Ethereum smart contract. NPM packages are collections of reusable, open-source code that developers will frequently use.

Lucija Valentić, Software threat researcher at ReversingLabs, wrote that the use of smart contracts was “something we haven’t seen previously.” 

“‘Downloaders’ that retrieve late-stage malware are being published to the npm repository weekly—if not daily,” she said. “What is new and different is the use of Ethereum smart contracts to host the URLs where malicious commands are located, downloading the second-stage malware.”

These two packages were just the tip of the iceberg, as ReversingLabs found a larger campaign of poisoned packages across GitHub. The security firm discovered a network of GitHub repositories that were connected to the aforementioned malicious package colortoolsv2. Most of the network was branded as crypto trading bots or token sniping tools.

“Even though the NPM package wasn’t very sophisticated, there was much more work put into making the repositories holding the malicious package look trustworthy,” Valentić said. 

She explained in the report that some repositories had thousands of commits, a good number of stars, and a couple of contributors, which could lead a developer to trust it. But ReversingLabs believes that most of this activity was faked by the attackers.

“It is especially dangerous because programmers wouldn’t think it’d be an issue when they use publicly maintained codebases,” 0xToolman, a pseudonymous on-chain sleuth at Bubblemaps, told Decrypt. “It could be the assumption that open source equals public monitoring equals safety. It could be simply that one is unable to check every code he is using as he did not write it, and it would take so much time to do so.”

Binance links NPM poisoning to DPRK

Major centralized exchange Binance told Decrypt last month that it was aware of such attacks and forces employees to go through NPM libraries with a fine-tooth comb as a result. 

Binance chief security officer, Jimmy Su, explained that package poisoning is a growing vector of attack for North Korean hackers, which he identified as the single biggest threat to crypto companies.

“The largest vector currently against the crypto industry is state actors, particularly in the DPRK, [with] Lazarus,” Su told Decrypt in August. “They’ve had a crypto focus in the last two, three years and have been quite successful in their endeavors.”

North Korean hackers are believed to have been responsible for 61% of all crypto stolen in 2024, a Chainalysis report revealed, which totalled $1.3 billion. Since then, the FBI has attributed North Korean attackers to the $1.4 billion Bybit hack, which is the largest crypto hack of all time.

While the main vector of attack that Su has noted is via fake employees, NPM package poisoning is in second place alongside fake interview scams. As such, major crypto exchanges share intelligence via Telegram and Signal groups so they can highlight poisoned libraries.

“We are mostly in this alliance on the frontline, so for the first responders, when [there are] hacks or [we need] incident response. We are always in this group, like with other exchanges, such as Coinbase, Kraken,” Su explained. “We’ve been in alliance with those exchanges for years now. There are more formal ones that are being formed today, but in terms of operating on the frontline. We’ve been doing that for years now.”