A novel hacking method involves using Ethereum’s smart contract technology to mask harmful software code within seemingly harmless npm packages. This approach effectively converts the blockchain into a robust communications channel for attackers, making detection and removal significantly more challenging.
Research by ReversingLabs exposed two npm packages, named colortoolsv2 and mimelib2. These packages operated by reading a smart contract located on the Ethereum network. This contract provided a URL pointing to a secondary download location for malicious software. Instead of directly embedding infrastructure details within the packages, this method avoids easily detectable markers, thus reducing traces during code reviews.
These malicious packages surfaced in July and were promptly removed upon discovery. ReversingLabs discovered their distribution was linked to a network of GitHub repositories disguised as trading bots, including one called solana-trading-bot-v2. These repositories exhibited fabricated positive ratings, artificially inflated commit histories, and the use of fake user accounts, all designed to trick developers into trusting the dangerous dependency chain.
While the number of downloads was limited, the technique itself is significant. According to The Hacker News, colortoolsv2 was downloaded seven times and mimelib2 only once, suggesting a targeted approach towards specific developers. Security firms Snyk and OSV have now marked both packages as malicious, providing a means for teams to quickly identify and audit past software builds.
A Recurring Threat
The utilization of an on-chain command channel mirrors a wider campaign identified in late 2024, where hundreds of npm packages were targeted via typosquatting. These packages included install or preinstall scripts that contacted an Ethereum contract to retrieve a base URL, subsequently downloading operating system-specific malicious files named node-win.exe, node-linux, or node-macos.
Checkmarx provided details about a key smart contract found at 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b, along with a wallet parameter 0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84. Observed infrastructure linked to this campaign included addresses such as 45.125.67.172:1337 and 193.233.201.21:3001.
Phylum’s deobfuscation efforts revealed the use of ethers.js to call getString(address) on the same contract, tracking the changing C2 server addresses over time. This effectively turned the contract state into a dynamic pointer for accessing malicious software. Socket independently analyzed the typosquatting campaign and confirmed the findings with identical IOCs, including the same smart contract and wallet address.
An Enduring Vulnerability
ReversingLabs characterizes the recent packages as a continuation of a previously used tactic, rather than a widespread attack. The key change is that the smart contract now hosts the URL for the next stage of the attack, instead of the entire malicious payload.
The social engineering aspects, such as creating fake followers and commits on GitHub, are intended to bypass casual security reviews and exploit automated dependency update mechanisms within cloned fake repositories.
The Crypto Investor Blueprint: A 5-Day Course On Bagholding, Insider Front-Runs, and Missing Alpha
This approach is similar to previous methods that leveraged third-party services such as GitHub Gist or cloud storage for redirection. However, using the blockchain adds inherent immutability, broad accessibility, and a decentralized platform, making it significantly harder for security teams to shut down.
According to ReversingLabs, specific Indicators of Compromise (IOCs) include the Ethereum contracts 0x1f117a1b07c108eae05a5bccbe86922d66227e2b (related to the July packages) and the 2024 contract 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b, wallet 0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84, host patterns like 45.125.67.172 and 193.233.201.21 using port 1337 or 3001, and the previously mentioned platform-specific payload filenames.
Hashes for the 2025 second-stage payload include 021d0eef8f457eb2a9f9fb2260dd2e391f009a21. For the 2024 campaign, Checkmarx provides SHA-256 hashes for Windows, Linux, and macOS versions. ReversingLabs also published SHA-1 hashes for each malicious npm package version, aiding security teams in scanning their artifact repositories for past compromises.
Defensive Measures
A crucial defensive measure is to disable lifecycle scripts from executing during installation and within Continuous Integration (CI) environments. The npm documentation outlines the use of the --ignore-scripts flag for both npm ci and npm install. Teams can set this option globally within their .npmrc file, then selectively allow necessary builds using a separate, controlled step.
The Node.js security best practices guide recommends this same approach, along with version pinning using lockfiles and more rigorous reviews of package maintainers and metadata.
Blocking outbound network traffic to the IOCs mentioned above and setting up alerts in build logs to detect the initialization of ethers.js followed by calls to getString(address) are effective detection strategies aligned with this chain-based command and control architecture.
While these specific packages have been removed, the overall pattern persists. Utilizing on-chain redirection now joins techniques like typosquatting and fraudulent repositories as a recurring method for compromising developer machines.