Malicious npm packages used Ethereum smart contracts to conceal payload links

Home » Python » Malicious npm packages used Ethereum smart contracts to conceal payload links

Security analysts have detailed a supply‑chain intrusion in which npm packages tapped Ethereum smart contracts to retrieve hidden download links for additional payloads. The tactic cloaks malicious infrastructure behind public blockchain calls, complicating routine scanning and incident response.

The duo of packages, colortoolsv2 and mimelib2, appeared in July 2025 and were quickly removed from the registry. Targeting developers in the crypto ecosystem, the code acted as a thin downloader that blended its network activity with ordinary on‑chain queries, according to research by software supply chain firm ReversingLabs.

What researchers uncovered

Instead of hard‑coding endpoints, the packages fetched next‑stage URLs from an Ethereum smart contract whenever they were executed or imported as a dependency. That indirection mirrors earlier stealth techniques like EtherHiding and allowed the threat to masquerade as legitimate blockchain traffic. While the malicious behavior in the npm code was straightforward, associated GitHub projects worked harder to appear credible.

How the on‑chain indirection worked

Investigators found that colortoolsv2 shipped a minimal loader (including an index.js routine) that queried an on‑chain contract for a string value representing the download location of the second stage. The contract at 0x1f171a1b07c108eae05a5bccbe86922d66227e2b exposed read functions that returned a URL, which the loader then used to pull a payload from an attacker‑controlled server.

After npm blocked colortoolsv2 around early July, the operators introduced mimelib2 with almost the same logic and the very same contract reference, minimizing changes while keeping their control channel intact. The second‑stage component executed after retrieval, and its hash was linked by researchers for detection and forensic triage.

A coordinated GitHub lure

The npm uploads were seeded through a network of deceptive GitHub repositories advertising automated trading tools, such as solana‑trading‑bot‑v2, ethereum‑mev‑bot‑v2, arbitrage‑bot, and hyperliquid‑trading‑bot. Accounts behind these projects had activity patterns designed to look authentic: inflated stars and watchers, frequent commits (some trivial), and multiple listed maintainers.

Analysts associate this seeding effort with the so‑called Stargazers Ghost Network, a distribution‑as‑a‑service cluster that mass‑stars, forks, watches, and commits to bolster the visibility of harmful repositories. Some user handles cited in commit histories added the malicious dependencies directly, and at least one related GitHub account has since been taken down.

Why this evaded routine defenses

Because the downloader consulted a public blockchain to obtain its instructions, standard filters and URL blocklists were less effective. Many security tools do not flag read‑only contract calls, and the attacker could rotate hosting endpoints by updating on‑chain data rather than touching package code or centralized infrastructure. That combination raises the bar for detection and takedown.

Researchers noted that similar ideas have surfaced before in crypto‑focused operations, but using a smart contract to stage C2 locations for npm malware marks a notable shift in how open‑source ecosystems are being probed. Documented crypto‑related campaigns on public repos climbed in 2024, with more than twenty cases logged, and this incident shows the techniques are maturing.

Indicators of compromise (IoCs)

The following identifiers were linked to the campaign and can aid threat hunting and detections:

• npm colortoolsv2 versions: 1.0.0 (SHA1 678c20775ff86b014ae8d9869ce5c41ee06b6215), 1.0.1 (SHA1 1bb7b23f45ed80bce33a6b6e6bc4f99750d5a34b), 1.0.2 (SHA1 db86351f938a55756061e9b1f4469ff2699e9e27)
• npm mimelib2 versions: 1.0.0 (SHA1 bda31e9022f5994385c26bd8a451acf0cd0b36da), 1.0.1 (SHA1 c5488b605cf3e9e9ef35da407ea848cf0326fdea)
• Second stage payload: SHA1 021d0eef8f457eb2a9f9fb2260dd2e39ff009a21
• Smart contract: 0x1f171a1b07c108eae05a5bccbe86922d66227e2b

Developer impact and recommended checks

For teams relying on npm, the case underlines that popularity signals can be manufactured. Vet maintainers and commit histories, examine recent releases for unusual install or postinstall behaviors, and scrutinize dependencies that make blockchain API calls or dynamic network requests at runtime.

Organizations should combine package allowlists, integrity pinning (including hashes for transitive dependencies), and reproducible builds with static and behavioral analysis. Network monitoring that flags unexpected outbound calls to RPC providers or sudden traffic to unfamiliar domains can also surface abuse of on‑chain indirection.

Before incorporating tools branded as trading bots or MEV helpers, verify whether referenced accounts and repositories have a real track record, not just burst activity over a few days. Pull packages locally for manual review, scan for obfuscated loaders, and watch for code that reads smart contract storage to obtain executable URLs.

Researchers also recommend mapping any on‑chain references used by build or runtime scripts, watching for updates to contract state that could redirect downloads, and documenting IoCs internally so alerts persist even if public listings or accounts are removed.

Taken together, the findings highlight how Ethereum smart contracts were repurposed as a flexible relay for C2 information, how npm and GitHub were woven into the delivery path, and why deeper package hygiene plus on‑chain aware monitoring are now table stakes for development teams working with open‑source and crypto tooling.

Artículo relacionado:

North Korean Threat Actors Deploy Malicious npm Packages in Sophisticated Social Engineering Attack