Researchers from ReversingLabs have discovered two malicious packages on the Node Package Manager (NPM) that utilize Ethereum smart contracts to evade security scans. The packages, ‘colortoolsv2’ and ‘mimelib2’, conceal URLs and malicious commands within Ethereum blockchain smart contracts. When installed, these packages query the blockchain for URLs leading to downloader malware, allowing them to avoid detection as the traffic appears legitimate. This tactic represents a new attack vector, combining blockchain technology with evolving malware delivery methods. The discovery highlights significant advancements in the strategies used by threat actors to exploit open-source repositories. The malware is part of a larger deception campaign that utilizes fake cryptocurrency trading bot repositories, featuring fabricated commits and professional-looking documentation. This innovative approach is reminiscent of past attacks but distinguishes itself by using Ethereum smart contracts as hosts for malicious content, complicating traditional security measures.

Source 🔗