Criminals “trolling” devs by distributing malware via Ethereum smart contracts

Published: 5 September 2025
black ily had holding a blackshiny wallet with ethereum logo
Image by Cybernews.

A new method of loading malware onto compromised devices via smart contracts on the Ethereum (ETH) blockchain has been identified as part of a larger campaign targeting npm packages and GitHub.

Cybersecurity firm ReversingLabs (RL) said that two npm (Node Package Manager) packages, published in July 2025 and now removed, abused smart contracts to conceal malicious commands that installed downloader malware on compromised systems.

According to the researchers, once the first discovered package, colortoolsv2, was used or included in another project, a script containing an obfuscated, malicious payload would execute. This script retrieved the URL of a command-and-control (C2) server, which then delivered second-stage malware to the requesting system.

ADVERTISEMENT

“What is new and different is the use of Ethereum smart contracts to host the URLs where malicious commands are located, downloading the second-stage malware,” RL explained, adding that this highlights the rapid evolution of evasion techniques by malicious actors who are “trolling open-source repositories and developers.”

Moreover, the researchers said they were “struck by the extent and sophistication” of the campaign, as they uncovered a network of GitHub repositories connected to colortoolsv2.

The investigation also showed that the criminals attempted to make the repositories hosting the malicious packages look trustworthy. Since GitHub projects were likely the primary infection vector, the researchers noted that “it would be impossible to detect” malicious code hidden in npm package dependencies merely by reviewing source code in GitHub repositories.

github-scam
Image by Cybernews.

“Looking at the solana-trading-bot-v2 through the eyes of an average developer trying to determine if the GitHub project is trustworthy, this one would definitely look like a good choice. It has thousands of commits, a couple of active contributors, and a decent number of stars and watchers – all characteristics of legitimate open-source repositories. But, as it turns out, all of these details were fabricated,” RL stressed.

The researchers urged developers to assess each library more carefully before implementation and to look beyond raw numbers of maintainers, commits, and downloads.

vilius Niamh Ancell BW jurgita Anton Mous
Be the first to know and get our latest stories on Google News
Google News Follow us
ADVERTISEMENT

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT