Thu Sep 04 10:40:00 UTC 2025: Here’s a news article summarizing and rewriting the provided text:

**Malicious NPM Packages Use Ethereum Smart Contracts to Evade Security Scans**

**[City, State] – [Date]** – Cybersecurity researchers at ReversingLabs have discovered a new tactic employed by threat actors to distribute malware: hiding malicious URLs within Ethereum smart contracts to bypass traditional security scans. The discovery highlights the evolving sophistication of attacks targeting code repositories.

Two NPM packages, “colortoolsv2” and “mimelib2,” were found to be using this method. According to ReversingLabs researcher Lucija Valentić, the packages, published in July, abused smart contracts to conceal malicious commands that download malware onto compromised systems.

Instead of directly including malicious links, the packages function as simple downloaders that query the Ethereum blockchain to retrieve command-and-control server addresses from the smart contracts. This makes detection significantly more difficult, as blockchain traffic appears legitimate and hides the true source of the malicious payload.

“What is new and different is the use of Ethereum smart contracts to host the URLs where malicious commands are located, downloading the second-stage malware,” Valentić noted.

The malicious packages were part of a broader social engineering campaign orchestrated through GitHub. The attackers created fake cryptocurrency trading bot repositories designed to appear trustworthy. These fake repositories employed tactics such as fabricated commits, fake user accounts, multiple maintainer accounts and professional-looking documentation.

This discovery comes amidst a growing trend of crypto-related attacks targeting open-source repositories. ReversingLabs documented 23 such campaigns in 2024. This latest attack vector demonstrates how threat actors are combining blockchain technology with elaborate social engineering techniques to bypass traditional detection methods. Similar attacks have also been seen targeting other blockchain ecosystems, such as Solana.

“This attack shows that attacks on repositories are evolving,” Valentić concluded, urging developers to remain vigilant and implement robust security measures to protect themselves from these sophisticated threats.

Read More