Quick Breakdown
- Hackers are embedding malware commands in Ethereum smart contracts to bypass scans.
- Malicious NPM packages, colortoolsv2 and mimelib2, retrieved C2 servers from the blockchain.
- Campaigns used fake GitHub repositories to trick developers into downloading infected code.
Threat actors exploit blockchain to conceal malicious commands in open-source packages
Cybercriminals are adopting a new method of delivering malware by embedding malicious commands inside Ethereum smart contracts, making detection significantly harder for security systems.

Researchers at ReversingLabs, a digital asset compliance firm, revealed that attackers have uploaded malicious packages to the Node Package Manager (NPM) repository, one of the largest hubs for JavaScript libraries.
Smart Contracts Used as Malware Hosts
According to ReversingLabs researcher Lucija Valentić, the malware packages “colortoolsv2” and “mimelib2” were published in July and disguised as legitimate tools. Instead of directly linking to malicious domains, the code fetched command-and-control (C2) addresses from Ethereum smart contracts, bypassing routine security scans.
Once installed, the packages queried the blockchain to retrieve download links for second-stage malware, which carried out the actual malicious activity. Since blockchain traffic typically appears legitimate, this tactic makes detection more complex.
A New Twist on Old Attacks
While the use of smart contracts in malware is not new, the North Korean Lazarus Group used a similar approach earlier this year, the latest method is distinct. Instead of merely hiding malware within contracts, attackers are now embedding the very URLs for payload delivery inside Ethereum’s decentralized infrastructure.
Social Engineering Behind the Scenes
The malicious packages were part of a larger deception campaign targeting developers through GitHub repositories. Threat actors built fake cryptocurrency trading bot projects complete with fabricated commits, multiple fake maintainers, and polished documentation to establish credibility.
These repositories lured unsuspecting developers into downloading the infected packages, further spreading the malware.
A Growing Trend of Crypto-Focused Malware
Security experts documented 23 crypto-related malware campaigns on open-source repositories in 2024. This latest incident underscores how attackers are merging blockchain technology with social engineering to bypass traditional security tools.
The threat is not limited to Ethereum. In April, a fake GitHub repository mimicking a Solana trading bot delivered credential-stealing malware, while another campaign targeted Bitcoinlib, a popular open-source Python library.
If you would like to read more articles like this, visit DeFi Planet and follow us on Twitter, LinkedIn, Facebook, Instagram, and CoinMarketCap Community.
Take control of your crypto portfolio with MARKETS PRO, DeFi Planet’s suite of analytics tools.”