Attackers have found new ways to embed malware, commands, and links into Ethereum (ETH) smart contracts to evade security detection, reflecting the evolving tactics against code repositories.

The cybersecurity research team at digital asset compliance company ReversingLabs discovered a new type of open-source malware in the Node Package Manager (npm) software package repository—a large collection of JavaScript packages and libraries.

ReversingLabs researcher Lucija Valentić stated in a blog post on Wednesday that these malware packages employ a novel and clever method to load malware onto the attacked devices. Specifically, this is achieved through smart contracts on the Ethereum (ETH) blockchain.

Valentić explained that the two packages released in July, "colortoolsv2" and "mimelib2," abuse smart contracts to hide malicious commands, thereby installing downloader-type malware on the victim's system.

To evade security detection, these packages act merely as simple downloaders and do not directly host malicious links; instead, they obtain command and control (C&C) server addresses through the smart contracts.

Once installed, these packages query the blockchain to retrieve URLs for downloading the second-stage malware. The second-stage malware carries the actual malicious payload. Since blockchain traffic appears normal, this makes detection more difficult.

Malware targeting Ethereum (ETH) smart contracts is not a new occurrence. Earlier this year, the North Korean-linked hacker group Lazarus Group employed similar tactics.

Valentić pointed out, "The new twist is the use of Ethereum (ETH) smart contracts to host URLs containing malicious commands and download second-stage malware." He added:

These malware packages are part of a larger and more complex social engineering fraud operation, primarily conducted through GitHub.

Attackers have established fake cryptocurrency trading bot repositories, using false commit histories, specially created fake user accounts to follow the repositories, and multiple maintainer accounts to simulate active development. At the same time, they create a highly credible image through specialized project descriptions and documentation.

In 2024, security researchers have recorded 23 incidents of open-source repository malware attacks related to cryptocurrency. Valentić concluded that this latest attack method indicates that attacks on code repositories are evolving, with attackers combining blockchain technology with complex social engineering tactics to bypass traditional detection mechanisms.

The attackers' targets are not limited to Ethereum (ETH). In April of this year, a fake GitHub repository disguised as a Solana (SOL) trading bot was used to distribute stealthy malware to steal cryptocurrency wallet credentials. Hackers have also targeted "Bitcoinlib," a library designed to simplify Bitcoin (BTC) development.

Related: Bitmine currently holds 1.86 million ETH, accounting for approximately 1.55% of the total Ethereum supply.

Original article: “Hackers Discover New Technique to Hide Malware in Ethereum (ETH) Smart Contracts”

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。