{"id":2651,"date":"2025-09-04T02:51:39","date_gmt":"2025-09-04T02:51:39","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/09\/04\/malicious-npm-packages-exploit-ethereum-smart-contracts\/"},"modified":"2025-09-04T02:51:39","modified_gmt":"2025-09-04T02:51:39","slug":"malicious-npm-packages-exploit-ethereum-smart-contracts","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2025\/09\/04\/malicious-npm-packages-exploit-ethereum-smart-contracts\/","title":{"rendered":"Malicious npm Packages Exploit Ethereum Smart Contracts"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>A malicious campaign targeting developers through npm and GitHub repositories has been uncovered, featuring an unusual method of using Ethereum smart contracts to conceal command-and-control (C2) infrastructure.<\/p>\n<p>The campaign first came to light in early July when ReversingLabs\u00a0researcher Karlo Zanki discovered a package named \u201ccolortoolsv2\u201d on npm.<\/p>\n<p>The package was quickly removed, but attackers attempted to continue the operation by publishing a duplicate package, \u201cmimelib2.\u201d Both packages deployed a second-stage malware payload through blockchain infrastructure.<\/p>\n<h2>What\u2019s New in This Campaign<\/h2>\n<p>While malicious npm downloaders\u00a0appear regularly, these typically contain URLs or scripts embedded in the package itself.<\/p>\n<p>In contrast, colortoolsv2 and mimelib2 leveraged Ethereum smart contracts to store and deliver the URLs used for fetching the second-stage malware. This tactic made detection significantly harder, as the malicious infrastructure was hidden within the blockchain code rather than inside the package files.<\/p>\n<p>\u201cDownloaders are [&#8230;] published weekly, [but] this use of smart contracts to load malicious commands is something we haven\u2019t seen previously,\u201d\u00a0RL researchers said.<\/p>\n<p>\u201cIt highlights the fast evolution of detection evasion strategies by malicious actors who are trolling open source repositories and developers.\u201d<\/p>\n<p><em>Read more on smart contract abuse in cybersecurity: Supply Chain Attack Uses Smart Contracts for C2 Ops<\/em><\/p>\n<h2>GitHub Repositories Disguised as Trading Tools<\/h2>\n<p>ReversingLabs investigators also found that the npm packages were tied to a broader campaign across GitHub. Fake repositories, presented as cryptocurrency trading bots, appeared well-established with thousands of commits, multiple maintainers and active watchers.<\/p>\n<p>However, much of this activity was fabricated. According to ReversingLabs, stars and watchers came from accounts created in July, each with minimal activity. Additionally, Puppet accounts acted as maintainers to inflate legitimacy, and forks and commits were used to create the illusion of popularity.<\/p>\n<p>The most prominent example was a repository named \u201csolana-trading-bot-v2,\u201d which bundled the malicious npm package. Although it appeared to be a serious project, closer inspection revealed the network of fake accounts supporting it.<\/p>\n<h2>Growing Threats to Open Source<\/h2>\n<p>The discovery adds to a growing list of software supply chain attacks targeting crypto-focused developers.\u00a0<\/p>\n<p>According to ReversingLabs\u2019s <em>2025 Software Supply Chain Security<\/em> report, there were 23 such campaigns in 2024, including a compromise of the PyPI package ultralytics in December\u00a0that delivered a coin miner.<\/p>\n<p>These incidents highlight the evolving tactics of attackers exploiting both open-source repositories and blockchain technology. ReversingLabs researchers warned that developers must carefully vet libraries and maintainers, looking beyond surface metrics such as stars or downloads.<\/p>\n<p>The report concluded that vigilance and stronger package assessment tools are essential to protecting digital assets and development environments.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A malicious campaign targeting developers through npm and GitHub repositories has been uncovered, featuring an unusual method of using Ethereum smart contracts to conceal command-and-control (C2) infrastructure. The campaign first came to light in early July when ReversingLabs\u00a0researcher Karlo Zanki discovered a package named \u201ccolortoolsv2\u201d on npm. The package was quickly removed, but attackers attempted<\/p>\n","protected":false},"author":2,"featured_media":2652,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2651","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2651-c2a4a13e-17de-4b6b-92c0-cf335e7032a3.jpg",300,300,false],"thumbnail":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2651-c2a4a13e-17de-4b6b-92c0-cf335e7032a3-150x150.jpg",150,150,true],"medium":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2651-c2a4a13e-17de-4b6b-92c0-cf335e7032a3.jpg",300,300,false],"medium_large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2651-c2a4a13e-17de-4b6b-92c0-cf335e7032a3.jpg",300,300,false],"large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2651-c2a4a13e-17de-4b6b-92c0-cf335e7032a3.jpg",300,300,false],"1536x1536":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2651-c2a4a13e-17de-4b6b-92c0-cf335e7032a3.jpg",300,300,false],"2048x2048":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2651-c2a4a13e-17de-4b6b-92c0-cf335e7032a3.jpg",300,300,false],"morenews-featured":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2651-c2a4a13e-17de-4b6b-92c0-cf335e7032a3.jpg",300,300,false],"morenews-large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2651-c2a4a13e-17de-4b6b-92c0-cf335e7032a3.jpg",300,300,false],"morenews-medium":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2651-c2a4a13e-17de-4b6b-92c0-cf335e7032a3.jpg",300,300,false],"crawlomatic_preview_image":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2651-c2a4a13e-17de-4b6b-92c0-cf335e7032a3-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"https:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"https:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2651","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=2651"}],"version-history":[{"count":0,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2651\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/2652"}],"wp:attachment":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=2651"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=2651"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=2651"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}