Cybercriminals are deploying a novel evasion tactic by using Ethereum smart contracts to bypass detection in malicious npm packages, as threat actors intensify digital attacks using open-source tooling, according to a report by software security firm ReversingLabs.
The malicious software-supply-chain campaign utilized code to conceal command-and-control (C2) instructions for Node Package Manager (NPM) packages, introducing dangerous open-source elements within an extensive collection of JavaScript libraries.
Lucija Valentic, a ReversingLabs researcher, stated that two packages that emerged in July, “colortoolsv2” and a clone, “mimelib2,” pulled C2 URLs from onchain contracts before fetching a second-stage downloader.
A technical write-up published on Wednesday revealed that the packages executed an obfuscated script, querying an Ethereum contract to retrieve the next-stage payload location, rather than hard-coding links in the package itself. This route complicates detection and takedown, marking a new kind of attack vector.
“That’s something we haven’t seen previously,” the security expert wrote, adding that it shows how quickly threat actors are improving detection evasion strategies. The operation also leaned on fake, crypto-themed GitHub repositories, complete with inflated stars and auto-generated commits, to convince developers to add the packages as dependencies.
Valentic said the malware family was taken down after being reported to npm maintainers. Meanwhile, ReversingLabs tied the incident to a broader, ongoing effort to seed malicious npm and GitHub projects presented as trading bots or crypto tools.
“Once we decided to dig deeper into the packages, we discovered evidence of a much larger campaign that was spread across both npm and GitHub, trying to lure developers into downloading repositories that included malicious npm packages,” the researcher wrote.
While the new tactic was shut down, it’s not the only code-related issue leveraging cryptographic technology. Beyond the two npm packages published in July, the company said the threat actors built credibility around decoy repositories such as “solana-trading-bot-v2,” which showed thousands of superficial commits, puppet maintainers, and coordinated stargazer activity, while the malicious dependency was quietly swapped between package names.
Also, ReversingLabs previously flagged related npm campaigns that abused developer trust and open-source tooling earlier this year.
“These latest attacks by threat actors, including the creation of sophisticated attacks using blockchain and GitHub, show that attacks on repositories are evolving,” said Valentic. “Developers and development organizations alike need to be on the lookout for efforts to implant malicious code in legitimate applications, gain access to sensitive development assets, and steal sensitive data and digital assets.”
© 2025 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
Trade Crypto On Coinhub Exchange
Trade Crypto On Coinhub Exchange
Stay ahead of the market by turning news insights into trading opportunities. With Coinhub Exchange, you can seamlessly buy, sell, and manage your digital assets, all in one secure platform. Take advantage of real-time market insights, deep liquidity, and fast execution for your favorite cryptocurrencies. Don’t just read about it — trade crypto now!
Disclaimer
The content of this article shown by Coinhub News, powered by The Block, is for informational purposes only and should not be construed as financial, legal, tax, or investment advice. Coinhub News and its affiliates are not a licensed financial advisor, legal advisor, broker, or tax advisor, and ... should not be considered as professional advice or a recommendation to engage in any specific investment, legal decision, or financial transaction. Cryptocurrency markets are highly speculative and volatile. Readers should perform their own independent research and consult with a qualified professional before making any financial or legal decisions. The opinions expressed in this article are those of the author and do not necessarily represent the views or opinions of the Company of its affiliates. Additionally, the Company does not make any representations or warranties regarding the accuracy, timeliness, reliability, or completeness of any information in this article. By accessing this content, you acknowledge that any reliance on the information contained in this article is solely at your own risk. The Company is not responsible for any financial losses, legal disputes, or other damages that may arise from reliance on this content or from any investment or legal decisions based on the information provided. Investing in cryptocurrencies involves substantial risks, including the risk of losing your entire investment, and you should carefully consider whether it is appropriate for your circumstances.
Read more
