Hackers exploit Ethereum smart contracts to deliver malware

Researchers at ReversingLabs have uncovered a new malware delivery technique that leverages Ethereum smart contracts to hide command-and-control instructions.

Two malicious packages — colortoolsv2 and mimelib2 — were uploaded to the NPM repository in July 2025. Unlike typical malware, they contained no direct links to control servers. Instead, they pulled addresses from Ethereum smart contracts, making the network traffic appear legitimate and harder to detect.

Once installed, the packages connected to the blockchain, extracted the server details, and downloaded a second-stage payload. This effectively turned ordinary smart contracts into tools for concealing malicious URLs and bypassing automated security checks.

Experts say this marks one of the first documented cases of blockchain being weaponized to distribute malware commands.