- Two npm packages, colortoolsv2 and mimelib2, queried Ethereum smart contracts to fetch C2 URLs for second-stage malware.
- Attackers ran a staged campaign using fake GitHub trading-bot repos to lure developers.
- The technique blends with legitimate blockchain traffic, complicating detection and takedown.
- ReversingLabs shared IoCs, including package hashes and a contract address used to serve URLs.
Researchers have detailed a supply-chain scheme on the npm registry in which two JavaScript libraries consulted Ethereum smart contracts to discover download locations for follow-on malware. The tactic, observed in July 2025 and now removed from npm, shows how public blockchains can be misused as a layer of indirection to keep command-and-control (C2) infrastructure out of sight.
Instead of embedding fixed URLs, the malicious code pulled them at runtime from a contract on Ethereum, making the activity look like ordinary on-chain queries. That shift toward using a decentralized “address book” for payload delivery illustrates how threat actors are adapting to evade conventional scanning and simplistic blocklists.
What was uploaded to npm
According to ReversingLabs, the packages named colortoolsv2 and mimelib2 were published in July 2025 and later taken down. Each acted as a small loader: once the package was installed or imported, it executed code that reached out to an Ethereum contract, read a value, and then fetched a next-stage component from the returned URL.
While the npm libraries did not deeply obfuscate their loader behavior, credibility was manufactured elsewhere: linked GitHub projects adopted familiar naming and activity patterns to appear legitimate, making it easier for developers to accept the dependency at a glance.
How the smart-contract pivot worked
The payload locations were not hardcoded. Instead, the loader queried a contract at 0x1f171a1b07c108eae05a5bccbe86922d66227e2b, using read functions that returned a string interpreted as a URL for the second stage. By hosting the pointer on-chain, attackers gained resilience: it is public, queryable, and updateable without pushing new npm releases or maintaining a single takedown-prone server.
Because blockchain lookups resemble benign crypto tooling and analytics, those requests can blend into normal developer workflows. The approach echoes earlier ideas like EtherHiding, but here it was wired straight into npm package execution, turning a routine install into a pathway for staged delivery.
A wider GitHub push to seed adoption
The npm packages were referenced across a network of GitHub repositories positioned as crypto trading utilities. Examples included solana-trading-bot-v2, ethereum-mev-bot-v2, arbitrage-bot, and hyperliquid-trading-bot. Activity around these repos—stars, forks, watchers, and frequent commits—was engineered to project legitimacy and momentum.
ReversingLabs ties this amplification to a distribution-as-a-service cluster known as Stargazers Ghost Network, where coordinated accounts inflate popularity signals and slip malicious dependencies into projects. The associated GitHub account for one flagship repo was later removed, but commit histories showed how the malicious imports were threaded into code over time.
Timeline and package rotation
Colortoolsv2 surfaced first and was blocked on npm around July 7, 2025. Soon after, the actors pivoted to a near-identical replacement named mimelib2, preserving the same smart-contract lookup for the second-stage URL. This rapid swap underscores a familiar pattern in supply-chain incidents: once one artifact is flagged, a lookalike package quickly fills its role.
Indicators of compromise (IoCs)
ReversingLabs reported the following indicators that map to the campaign. Organizations can use these to drive detection and hunting efforts:
- npm packages and versions:
- colortoolsv2 1.0.0 (SHA1 678c20775ff86b014ae8d9869ce5c41ee06b6215)
- colortoolsv2 1.0.1 (SHA1 1bb7b23f45ed80bce33a6b6e6bc4f99750d5a34b)
- colortoolsv2 1.0.2 (SHA1 db86351f938a55756061e9b1f4469ff2699e9e27)
- mimelib2 1.0.0 (SHA1 bda31e9022f5994385c26bd8a451acf0cd0b36da)
- mimelib2 1.0.1 (SHA1 c5488b605cf3e9e9ef35da407ea848cf0326fdea)
- Second-stage file: SHA1 021d0eef8f457eb2a9f9fb2260dd2e39ff009a21
- Ethereum contract: 0x1f171a1b07c108eae05a5bccbe86922d66227e2b
Why this method complicates defense
By outsourcing the “where to go next” decision to a smart contract, the attackers decouple the malware’s logic from a single endpoint. If a URL is blocked, the contract value can be updated, and the same npm package will resolve a new location without change. That dynamism undermines static indicators and raises the bar for takedowns.
Additionally, many developer environments already interact with web3 endpoints, so EVM calls may not be inherently suspicious. The line between legitimate blockchain traffic and malicious beaconing blurs, challenging both network monitoring and endpoint detection strategies.
Practical steps for npm and web3 developers
Teams should combine code, maintainer, and network scrutiny before bringing in a dependency. Beyond download counts and stars, examine maintainer history, repository age, commit quality, release cadence, and whether the package unexpectedly reaches out to on-chain contracts or unfamiliar hosts.
- Inspect install and postinstall hooks as well as entry points for network calls or child-process execution.
- Block or alert on unexpected EVM RPC queries from CI/CD or build pipelines; baseline what your tooling should access and deny the rest.
- Pin versions, use lockfiles, and mirror vetted packages to an internal registry to reduce exposure to package swaps.
- Adopt artifact attestations and signature verification (e.g., SLSA provenance) so dependency integrity is verified at build.
- Continuously scan dependency graphs for newly disclosed IoCs and anomalous maintainer changes.
For repositories that were touched by the campaign, review recent commits for the introduction of colortoolsv2 or mimelib2, roll keys and tokens used during compromised builds, and consider re-imaging systems that executed the impacted packages to remove any second-stage artifacts.
The episode underscores how a familiar platform—npm—can be leveraged alongside Ethereum to mask the trail between a dependency and its payload host. With on-chain data serving as a resilient pointer, defenders are pushed to correlate package behavior, GitHub signals, and blockchain reads to catch what simple static checks miss.
