Ethereum has become a new battleground for software supply chain attacks. Researchers from ReversingLabs recently identified two malicious NPM packages that utilized Ethereum smart contracts to hide harmful code, enabling the malware to bypass traditional security measures.

Key Takeaways:

• Researchers found malicious NPM packages disguising their harmful actions as legitimate blockchain activity.
• Developers are cautioned that even well-known code commits can be fabricated, increasing supply chain risks.

NPM, the dominant package manager for Node.js and the largest software registry globally, played host to these packages. The two malicious packages, “colortoolsv2” and “mimelib2,” were uploaded in July and initially masked as useful tools. However, they were designed to exploit Ethereum’s blockchain to retrieve hidden URLs, directing compromised systems to download additional malware.

By embedding malicious commands within smart contracts, attackers were able to present their activities as valid blockchain traffic, making detection significantly harder.

“This is something we haven’t seen previously,” said Lucija Valentić of ReversingLabs. “It highlights the fast evolution of evasion strategies by malicious actors who are trolling open-source repositories.”

This incident reflects an ongoing trend in which attackers use trusted platforms like GitHub Gists or Google Drive to host malicious content. The new tactic of leveraging Ethereum smart contracts adds a dangerous twist to traditional supply chain attack methods.

ReversingLabs also discovered that these packages were linked to fraudulent GitHub repositories masquerading as cryptocurrency trading bots. These fake repos featured fabricated commit histories and inflated attributes to appear trustworthy, putting developers at risk of unintentionally importing malware.

Last year, many similar campaigns targeting developers were reported, revealing the longstanding risks associated with open-source crypto tools. With the adaptation of blockchain technology for these cyber threats, it is vital for developers to remain vigilant against hidden malware in seemingly innocuous packages.