Ethereum blockchain exploited by illicit npm packages

Malicious npm packages exploiting Ethereum smart contracts have been leveraged to compromise cryptocurrency-focused developers as part of an attack campaign initially detected in early July, Infosecurity Magazine reports. Ethereum smart contracts have been tapped by the 'colortoolsv2' package and its duplicate replacement 'mimelab2' to enable clandestine second-stage malware retrieval, with illicit infrastructure concealed in blockchain code instead of package files, according to findings from ReversingLabs. "Downloaders are [...] published weekly, [but] this use of smart contracts to load malicious commands is something we haven't seen previously," said ReversingLabs researchers. Both packages were also discovered to have been associated with widespread malicious activity in GitHub involving bogus cryptocurrency trading bot repositories. Such findings indicate the increasingly prevalent abuse of open-source repositories and blockchain technology, which should prompt more stringent library and maintainer vetting processes, as well as the adoption of more robust package evaluation tools.