Ethereum, the backbone of crypto apps and DeFi projects, is increasingly being used as a tool for cyberattacks. Researchers at ReversingLabs have discovered two npm packages that hid malicious commands inside Ethereum smart contracts, unveiling a new twist in software supply chain attacks.
Simple Packages With Hidden Malwares
The two packages, colortoolsv2 and mimelib2, appeared to be harmless tools on the surface. However, they discreetly included downloader malware within their code. This discovery is part of a larger, sophisticated campaign that is spreading across npm and GitHub platforms. In July, colortoolsv2 was found to be using blockchain technology to deliver malware. Although it was promptly removed, a nearly identical package called mimelib2 emerged shortly after, containing the same malicious code. Both npm packages were designed to be minimalistic, carrying only the malware, while their GitHub repositories were crafted to appear reliable and polished in order to deceive developers.
Using Smart Contracts as a Stealth Tool
What sets this campaign apart is the attackers’ use of Ethereum smart contracts to conceal malicious URLs. Colortoolsv2 appeared to be a basic npm package with only two files; however, hidden within it was a script that downloaded additional malware from a command-and-control server. Typically, malware campaigns hardcode URLs into their code, making them easier to detect. In this instance, the URLs were stored within Ethereum smart contracts, making it significantly more challenging to track and shut down the attack. The researchers noted that this tactic is a new development in evasion strategies employed by malicious actors targeting open-source repositories and developers.
Hackers Are Getting More Creative
This attack is part of a broader trend where hackers are discovering innovative ways to distribute malware. In previous instances, Python packages concealed malicious URLs within GitHub Gists, and a fake Tailwind CSS npm package stored malware links behind reputable platforms like Google Drive and OneDrive.
How GitHub Was Used as a Trap
To enhance the credibility of their campaign, the attackers created fake GitHub repositories. These repositories were linked to the colortoolsv2 package and posed as crypto trading bots. Despite appearing authentic with numerous commits, active contributors, and a high number of stars, these projects were fabricated to lure developers into downloading compromised code. The campaign extended beyond solana-trading-bot-v2, with other repositories such as ethereum-mev-bot-v2, arbitrage-bot, and hyperliquid-trading-bot also showing fake commits and activity, albeit less convincingly. In the past year, there have been 23 campaigns where attackers inserted malicious code into open-source repositories, including the ultralytics PyPI crypto miner and an attempted malware attack on local crypto tools in April 2025.
For developers, this serves as a reminder to diligently assess open-source libraries. While stars, downloads, and activity may seem indicative of trustworthiness, it is essential to thoroughly review both the code and maintainers before integration. Stay vigilant and prioritize security when incorporating third-party libraries into your projects.