Ethereum Smart Contracts Weaponized in npm Package Attack Targeting Crypto Developers
Security researchers have uncovered a sneaky new attack vector: malicious npm packages leveraging Ethereum smart contracts to compromise developer systems. This discovery highlights a growing trend of attackers seeking innovative methods to deliver malware and evade detection within the software supply chain.
Cybersecurity researchers have uncovered a sneaky new trick: malicious packages lurking on the npm registry are using Ethereum blockchain smart contracts to wreak havoc on compromised computers. This highlights how attackers are always searching for innovative ways to spread malware while staying under the radar.
According to ReversingLabs researcher Lucija Valentić, these two npm packages used smart contracts to hide malicious commands, which then installed malware on infected systems. You can read more about it in their report.
The packages, uploaded to npm in July 2025 but now removed, were:
- colortoolsv2 (7 downloads)
- mimelib2 (1 download)
ReversingLabs believes these libraries are part of a larger, more sophisticated campaign targeting both npm and GitHub. The goal? To trick unsuspecting developers into downloading and running them.
While the malicious code within the packages wasn't particularly hidden, the GitHub projects importing them went to great lengths to appear legitimate.
Here's how it works: Once a developer uses or includes either package in a project, it grabs a second-stage payload from a server controlled by the attacker and executes it.
Malware downloaders are nothing new, but the use of Ethereum smart contracts to store the URLs of those payloads is a twist. It's similar to EtherHiding, showing that attackers are constantly evolving their tactics to avoid detection.
Further digging revealed that these packages are connected to a network of GitHub repositories claiming to be a "solana-trading-bot-v2" that automates trades using real-time on-chain data. The GitHub account associated with the repository is now gone.
It's believed these accounts are part of a "distribution-as-service" (DaaS) operation called Stargazers Ghost Network. This network uses fake GitHub accounts to artificially boost the popularity of malicious repositories by starring, forking, watching, and subscribing to them.
These accounts even commit source code changes to import colortoolsv2. Other repositories pushing the npm package include ethereum-mev-bot-v2, arbitrage-bot, and hyperliquid-trading-bot.
The names of these GitHub repositories suggest that cryptocurrency developers and users are the primary targets, using a mix of social engineering and deception.
Valentić advises developers to carefully evaluate every library before adding it to their projects. "That means looking beyond the surface – beyond the number of maintainers, commits, and downloads – to really assess if a package and its developers are who they claim to be."
