Hackers are utilizing Ethereum smart contracts to hide malware payloads within seemingly harmless npm packages, a strategy that transforms the blockchain into a resilient command channel and complicates takedowns.
Recently, ReversingLabs identified two npm packages, namely colortoolsv2 and mimelib2, which interacted with a contract on Ethereum to retrieve a URL for a second-stage downloader instead of embedding the infrastructure directly in the package. This decision reduces static indicators and makes it harder to detect the malicious intent during source code reviews. Although these packages were discovered in July and promptly removed after disclosure, their promotion was traced back to a network of GitHub repositories posing as trading bots, such as solana-trading-bot-v2. These repositories employed fake stars, inflated commit histories, and puppet maintainers to lure developers into the malicious dependency chain.
Although the number of downloads for these packages was low – colortoolsv2 had seven downloads and mimelib2 had one – the method used by hackers is concerning. Snyk and OSV have now flagged both packages as malicious, allowing teams to quickly identify and remove them from historical builds.
This tactic of using Ethereum contracts to serve as a command channel is not new. In late 2024, researchers observed a similar campaign across numerous npm typosquats. These packages executed scripts that interacted with an Ethereum contract, fetched a base URL, and downloaded OS-specific payloads like node-win.exe, node-linux, or node-macos.
The core contract identified by Checkmarx was linked to a wallet parameter and observed infrastructure at specific IP addresses. Phylum’s deobfuscation revealed the use of ethers.js to query the contract and log the rotation of Command and Control (C2) addresses over time. This behavior effectively turns the contract state into a movable pointer for retrieving malware.
ReversingLabs views the 2025 packages as a continuation of this technique, with the smart contract now hosting the URL for the next stage of the attack rather than the payload itself. By distributing these packages through GitHub repositories with fake activity, hackers aim to circumvent casual due diligence and exploit automated dependency updates within cloned repositories.
To defend against such attacks, it is crucial to prevent lifecycle scripts from running during install and Continuous Integration (CI). npm offers the –ignore-scripts flag for npm ci and npm install, which can be set globally in .npmrc and selectively allowed for necessary builds. Additionally, following Node.js security best practices, such as pinning versions via lockfiles and conducting thorough reviews of maintainers and metadata, can enhance security measures.
Blocking outbound traffic to known IOCs and monitoring build logs for instances of ethers.js querying getString(address) can help detect and mitigate chain-based C2 attacks. While the malicious npm packages have been removed, the underlying pattern persists, highlighting the need for vigilance against on-chain indirection as a method to target developer environments.