Hackers have discovered a new method for spreading malicious software by using Ethereum
According to a blog post by Lucija Valentić at ReversingLabs, two suspicious software packages were found on the Node Package Manager (NPM), a platform used to share JavaScript code.
These packages, named “colortoolsv2” and “mimelib2“, were uploaded in July and designed to look like regular tools.
Did you know?
Subscribe – We publish new crypto explainer videos every week!
What is Monero? XMR Animated Explainer
The packages acted like simple downloaders. When someone installed one, it would reach out to the Ethereum blockchain and fetch data from a smart contract. That data contained the location of a second piece of malware, which would then be downloaded and installed.
This made it hard for security systems to flag the packages as harmful, since they did not include any direct links to malicious websites or files.
Valentić explained that while Ethereum contracts have been misused before, this setup was different. In this case, the smart contract did not hold the malware itself, but held the location where it could be found.
The campaign was not limited to NPM. It also involved a fake open-source project hosted on GitHub. Hackers created a fake cryptocurrency trading bot, complete with fake updates, detailed documentation, and several user accounts to make the project seem active and trustworthy.
On September 1, SlowMist’s Yu Xian reported that attackers stole WLFI tokens from Ethereum wallets. How? Read the full story.
