Researchers from ReversingLabs have discovered a new scheme for distributing malware, in which Ethereum smart contracts are used for covert delivery of commands and links, significantly complicating detection of attacks by modern antivirus systems.
This is reported by Business • Media
A New Wave of Cyberattacks via NPM and Blockchain
In July 2025, two malicious packages—colortoolsv2 and mimelib2—were published on the NPM platform, the largest repository of JavaScript libraries. The programs did not contain the usual command server addresses typical of such malware; instead, they received instructions directly through Ethereum smart contracts. This approach allowed hackers to bypass standard security measures, as the network traffic appeared entirely legitimate.
Once installed, the malicious packages connected to the blockchain, from which they obtained addresses for downloading the next phase of the attack. This mechanism turned smart contracts into tools for concealing real URLs, complicating automatic threat detection.
“This method allows for evading scans and complicates threat detection.”
Social Engineering and Fake Repositories
The malicious packages mentioned by ReversingLabs were part of a large-scale social engineering campaign. The attackers created fake repositories on GitHub, presenting them as trading bots for crypto assets. To create the illusion of real activity, they added fake commits, used multiple observer accounts, and formatted the documentation at a professional level.
Researchers emphasize that the use of blockchain in cybercrime is not a new phenomenon—similar tactics have been employed before, notably by the Lazarus group. However, in this case, Ethereum smart contracts were specifically used to conceal commands rather than to store files, marking a new stage in the evolution of evasion methods.
In 2024, at least 23 similar campaigns related to digital assets were recorded. Moreover, hackers are targeting not only the Ethereum ecosystem. In April, a fake trading bot for Solana was discovered, which stole users’ crypto assets, and earlier attacks were directed at the Bitcoinlib library for Python.
Experts believe that the combination of blockchain technologies with social engineering is becoming increasingly popular among cybercriminals. Such tools allow them to effectively bypass traditional security systems, creating serious risks for developers and users of open-source software.
As a reminder, in August 2025, the total losses to the industry from hacker attacks exceeded $163 million.