A recent malicious campaign targeting developers through npm and GitHub repositories has been uncovered, showcasing a unique method of using Ethereum smart contracts to conceal command-and-control (C2) infrastructure.
The campaign was first brought to light in early July by ReversingLabs researcher Karlo Zanki, who discovered a package named “colortoolsv2” on npm. Although the package was swiftly removed, attackers persisted by publishing a duplicate package, “mimelib2,” both of which deployed a second-stage malware payload through blockchain infrastructure.
What sets this campaign apart is the use of Ethereum smart contracts to store and deliver the URLs used for fetching the second-stage malware. This approach made detection significantly more challenging, as the malicious infrastructure was hidden within the blockchain code rather than in the package files themselves.
According to RL researchers, this tactic represents a new evolution in detection evasion strategies by malicious actors who are targeting open source repositories and developers.
In addition to the npm packages, ReversingLabs investigators also uncovered a broader campaign across GitHub. Fake repositories masquerading as cryptocurrency trading bots were found, with fabricated activity to create the illusion of legitimacy. One such repository, “solana-trading-bot-v2,” bundled the malicious npm package and appeared to be a serious project at first glance.
This discovery adds to the growing list of software supply chain attacks targeting crypto-focused developers. The ReversingLabs 2025 Software Supply Chain Security report documented 23 such campaigns in 2024, including the compromise of the PyPI package ultralytics that delivered a coin miner.
These incidents underscore the evolving tactics of attackers who exploit open-source repositories and blockchain technology. Developers are urged to carefully vet libraries and maintainers, going beyond surface metrics like stars or downloads to ensure the integrity of their code.
In conclusion, vigilance and robust package assessment tools are crucial for safeguarding digital assets and development environments in the face of growing threats to open source security.