Hackers Use Ethereum Smart Contracts to Hide Viruses in Open-Source Libraries

In a surprising twist in the world of cybersecurity, researchers have discovered that cybercriminals are using Ethereum’s smart contract technology — those automatic programs that run on the cryptocurrency’s blockchain — to hide malware in popular software packages.

This novel method allows attackers to evade detection and distribute cyber viruses through repositories such as npm and GitHub, two platforms widely used by developers to share open source. The finding, revealed this week, highlights how hackers are evolving their tactics to infiltrate the open source ecosystem.

A new formula for attack

According to a detailed report by security firm ReversingLabs, published on its official blog, the malicious packages identified are “colortoolsv2” and “mimelib2”. These were published on npm — the largest package registry for JavaScript, where programmers download tools to build applications — in July.

At first glance, they seem like harmless utilities, but in reality, they run a hidden script that queries a smart contract on Ethereum to obtain secret web addresses. These addresses lead to a “command and control” (C2) server, from where additional malware is downloaded and infects the user’s device.

This technique is innovative because, instead of including the malicious links directly in the packet code – which would make them easier to detect – hackers are storing them on the Ethereum blockchain, disguising the traffic as legitimate cryptocurrency-related activity. “This is something we haven’t seen before,” explained Lucija Valentić, a researcher at ReversingLabs.

This threat “highlights the rapid evolution of detection evasion strategies by malicious actors who prowl open-source repositories and developers,” it added.

The packages were quickly removed from npm after researchers reported them, but the potential damage was already done: any developer who had downloaded them could have unknowingly introduced the virus into their projects.

Malicious campaign spreads to GitHub.

The threat is not limited to npm. The report reveals that it is part of a broader campaign involving fake repositories on GitHub, the largest collaborative platform for open source,ce popular with cryptocurrency developers.

For example, repositories such as “solana-trading-bot-v2,” “ethereum-mev-bot-v2,” and “arbitrage-bot” masquerade as crypto trading bots to attract users interested in digital finance. These repositories seem trustworthy at first glance, with thousands of commits, approval stars, and active contributors. However, it is all an illusion.

In reality, the commits are automatic and trivial — such as adding or removing license files repeatedly — the stars come from fake accounts created en masse around, and the contributors are “puppet accounts” controlled by hackers, with names like “pasttimerles,” “slunfuedrac” and “cnaovalles,” the report notes.

This “social engineering” tactic — tricking people into trusting something fake — causes developers to incorporate these malicious packages as dependencies into their own programs, inadvertently spreading the malware.

As Valentić notes, “Once we decided to dig deeper into the packages, we discovered evidence of a much larger campaign that was spreading on both npm and GitHub, trying to lure developers into downloading repositories that included malicious npm packages.”

Crypto developers should be cautious

This is not the first time similar attacks have been seen. In previous years, hackers have used trusted services such as GitHub Gists, Google Drive, or OneDrive to hide malicious links. But integrating Ethereum smart contracts adds a “crypto” touch that further complicates detection, as traffic appears normal in environments where Blockchain is handled.

Last year, more than 20 similar malicious campaigns were documented in repositories such as npm and PyPI (for Python), many focused on stealing credentials from cryptocurrency wallets or installing illegal miners, as CoinDesk recalls.

This means that even free and popular tools on the internet can be traps. Developers, particularly those in the cryptocurrency world, should be cautious, as data such as the number of stars or commits can be manipulated.

“Developers and organizations need to be vigilant about efforts to implant malicious code in legitimate applications, access sensitive assets, and steal data or digital assets,” Valentić said. Recommendations include checking the actual history of repositories and using security analysis tools before integrating any packages.

This incident underscores the growing risks in the software supply chain, where a single infected package can affect millions of applications. It is also the latest sign that hackers are rapidly adapting to the blockchain ecosystem, turning it into a new cyber battleground.