Hackers Use Ethereum Smart Contracts to Bypass Detection in npm Packages!

Hackers use Ethereum smart contracts to deliver malicious payloads in npm packages, bypassing security measures.

Fridah Kangai
September 5, 2025
12:00 pm

Fridah Kangai

Fridah Kangai is a dedicated crypto journalist with a sharp eye for market trends, blockchain innovation, and digital asset movements. She specializes in breaking down complex topics into clear, engaging stories for both seasoned investors and curious newcomers. With a passion for decentralization and a pulse on the ever-evolving crypto space, Fridah delivers timely, accurate, and insightful coverage. Her work bridges the gap between technology and everyday understanding in the world of cryptocurrency.

Cybercriminals use Ethereum contracts to bypass detection in npm packages.
Malicious npm packages deliver payloads via Ethereum smart contracts, bypassing security.
Fake crypto repositories deceive developers into integrating harmful npm packages.

Recently, cybercriminals have created a new technique to get around detection in malicious npm packages, with Ethereum smart contracts. This trick, identified by ReversingLabs, indicates a crucial change in the behavior of computer attackers who target developers with open-source tools. However, rather than inserting malicious payloads into package code, attackers have turned to Ethereum smart contracts to deliver command-and-control (C2) commands.

The attackers include in the package an obfuscated script that contacts Ethereum smart contracts to retrieve C2 instructions. These commands take the system with the infection to a second-stage downloader. By utilizing the Ethereum blockchain, the attackers make their operations untraceable, making it harder to identify the threat and halt it through security systems.

This campaign detected two npm packages, colortoolsv2, and mimetoolib2. Such bad packages query Ethereum contract C2 URLs, which in turn result in other destructive payloads. By concealing the evil commands with blockchain technology, attackers can bypass conventional security systems and avoid detection.

Also Read: Bitcoin Whale Dumps $215M in BTC for Ethereum: What This Means for the Market

Fake Repositories Exploit Developer Trust

In another effort to advance their scheme, the assailants deployed fake, crypto-related GitHub repositories to lure developers into trusting them. Such repositories looked valid, with high star ratings and automatic commit history. These malicious npm packages were mixed into developer projects without developers realizing that they were being used. After such an integration, the malicious code was run unnoticed, and attackers were able to steal sensitive data and assets.

An investigation conducted by ReversingLabs found that this attack was part of a large campaign against npm and GitHub repositories. The scammers packaged their harmful scripts as helpful stuff, such as crypto trading bots. They managed to infect developers with these harmful dependencies and spread their attack by persuading them to download them.

Rising Threat to Open-Source Security

It is a new form of attack, which highlights that cyberattacks on open-source platforms are becoming more sophisticated. The use of Ethereum smart contracts introduces an additional layer of stealth to previous campaigns, which were based on fake repositories and misleading activity. Cybercriminals have also been given new opportunities along with the rise in the number of people who have started using blockchain as a technology.

And even after the harmful packages on npm were removed, the increasing complexity of these attacks indicates that additional caution is required. The developers must be aware of the new threats to the integrity of the open-source ecosystem.

Also Read: XRP Set to Explode: Key Resistance Levels Hold the Secret to $22 Surge!