ReversingLabs research uncovered a malware campaign that used Ethereum smart contracts to conceal malicious software URLS. The findings revealed that the hackers used the npm packages colortoolv2 and mimelib2, which acted as downloaders.
Once the npm packages have been installed, they fetch second-stage malware from a command and control infrastructure (C2) by querying Ethereum smart contracts.
ReversingLabs researcher Lucija Valentic described the attack as creative, noting that it has not been seen before. The attackers’ approach bypassed traditional scans that typically flag suspicious URLs inside package scripts.
Threat actors hide malware in plain sight
Ethereum smart contracts are public programs that automate blockchain functions. In this case, they enabled hackers to hide malicious code in plain sight. The malicious payloads were hidden with a simple index.js file, which, when executed, reached out to the blockchain to retrieve the command and control (C2) server details.
According to ReversingLabs’ research, downloader packages are not standard on npm, and blockchain hosting marked a new stage in evasion tactics.
The discovery prompted researchers to scan widely across GitHub, where they discovered that the npm packages were embedded beneath repositories posing as cryptocurrency bots. The bots were disguised as Solana-trading-bot-v2, Hyperliquid-trading-bot-v2, and many more. The repositories were disguised as professional tools, attracting multiple commits, containers, and stars, but in reality, they were just fabricated.
According to the research, accounts that performed commits or forked the repositories were created in July and did not show any coding activity. Most of the accounts had a README file embedded in their repositories. It was uncovered that the commit counts were artificially generated via an automated process to inflate coding activity. For instance, most commits logged were just license file changes rather than meaningful updates.
Pasttimerles, a handle used by one maintainer, was notably used to share many commits. Slunfuedrac, another handle, was tied to the inclusion of the malicious npm packages into the project files.
Once detected, the hackers kept switching dependencies to different accounts. After colortoosv2 was detected, they switched to mimelibv2 and subsequently towards mw3ha31q and cnaovalles, which contributed to the commit inflation and placement of malicious dependencies, respectively.
ReversingLabs’ research linked the activity to Stargazer’s Ghost Network, a coordinated system of accounts that boosts the credibility of malicious repositories. The attack targeted developers who seek open-source cryptocurrency tools and might mistake inflated GitHub statistics for legitimate accounts.
Ethereum blockchain malware embedding marks a new phase in threat detection
The uncovered attack follows a series of attacks targeting the blockchain ecosystem. In March 2025, ResearchLabs uncovered other malicious npm packages that patched legitimate Ethers packages with code that enabled reverse shells. Ether-provider2 and ethers-providerZ npm packages containing malicious code that enabled reverse shells were uncovered.
Several earlier cases, including the compromise of PyPI’s ultralytics package in December 2024, were also revealed for delivering cryptocurrency mining malware. Other incidents included trusted platforms like Google Drive and GitHub Gist being used to mask malicious code via C2 servers.
According to the research, 23 crypto-related supply chain incidents were recorded in 2024, ranging from malware to credentials breaches.
The latest discovery employs old tricks but introduces the Ethereum contracts approach as a new mechanism. Valentic, the Research Labs researcher, said the discovery highlights the fast evolution of detection evasion strategies by malicious actors trolling open-source projects and developers.
The research highlighted the importance of verifying open-source libraries’ legitimacy before adoption. Valentic warned that developers must assess each library they are considering before including it in their development environment. She added that it was clear that indicators such as stars, commits, and the number of maintainers can be easily manipulated.
Both identified npm packages, colortoolsv2 and mimelib2, have since been removed from npm and the associated GitHub accounts closed, but the activity has shed light on how the software threat ecosystem is evolving.
KEY Difference Wire helps crypto brands break through and dominate headlines fast
