Ethereum has become the latest front for software supply chain attacks.
Researchers at ReversingLabs earlier this week revealed two malicious NPM packages that used Ethereum Smart contracts to hide malicious code, enabling malware to bypass traditional security checks.
NPM is a Runime Environment Node Node, and is considered the world’s largest software register, where developers can access and share code that contributes to millions of software programs.
The packages, “Colortoolsv2” and “Mimelib2”, were uploaded to the widely used Node Package Manager Depot in July. They seemed to be simple tools at first glance, but in practice they knocked on Ethereum’s blockchain to retrieve hidden URLs that directed compromised systems to download malware to the second phase.
By embedding these commands within a smart contract, disguised attacks their activity as legitimate blockchain traffic, making detection more difficult.
“This is something we haven’t seen before,” said ReversingLabs scientist Lucija Valentić in their report. “It highlights the rapid development of detection scoring strategies from malicious actors who troll open source stocks and developers.”
The technique is based on an old playbook. Previous attacks have used trusted services such as Github Gists, Google Drive or OneDrive to host malicious links. By utilizing Ethereum-Smarte contracts instead, attackers added a crypto taste twist to an already dangerous supply chain tactic.
The incident is part of a wider campaign. Reversinglabs discovered the packages tied to fake GitHub stocks posing as cryptocurrency trading bots. These repos were padded with fabricated obligations, false user accounts and inflated star counts to look legitimate.
Developers who drew the code risked importing malware without paying attention to it.
Risks of the Open Source Crypto Tools supply chain are not new. Last year, researchers marked more than 20 malicious campaigns that targeted developers through storage sites such as NPM and Pypi.
Many had aimed at stealing the wallet information or installing cryptomin workers. But the use of Ethereum -Smarte contracts such as delivery mechanism shows that opponents quickly adapt to blockchain ecosystems.
A takeaway for developers is that popular obligations or active maintainers can be falsified, and even seemingly innocent packages can carry hidden payloads.
