Hackers Exploit Ethereum EIP-7702 to Drain WLFI Wallets

Researchers have identified a sophisticated malware campaign exploiting Ethereum smart contracts to deliver malicious payloads via compromised npm packages, such as "colortoolsv2" and "mimelib2." These packages use Ethereum blockchain queries to fetch command-and-control server URLs, bypassing traditional detection methods and complicating cybersecurity defenses. Additionally, hackers are exploiting Ethereum's EIP-7702 upgrade from the Pectra update to deploy phishing-based wallet attacks targeting holders of World Liberty Financial (WLFI) tokens, a DeFi project supported by President Donald Trump and his family. By leveraging previously stolen private keys, attackers pre-install malicious delegate contracts in victims' wallets, enabling rapid theft of tokens and transaction fees as soon as deposits or transfers occur. Victims have reported losing significant portions of their WLFI holdings despite attempts to secure their wallets, highlighting the urgent need for users to cancel or replace harmful contracts and move tokens to safer wallets. These incidents underscore the evolving threats within the Ethereum ecosystem, involving both innovative malware delivery through smart contracts and exploitation of network upgrades for financial theft.