Table of Contents
A malicious campaign targeting developers through npm and GitHub repositories has been uncovered, featuring an unusual method of using Ethereum smart contracts to conceal command-and-control (C2) infrastructure.
The campaign first came to light in early July when ReversingLabs researcher Karlo Zanki discovered a package named “colortoolsv2” on npm.
The package was quickly removed, but attackers attempted to continue the operation by publishing a duplicate package, “mimelib2.” Both packages deployed a second-stage malware payload through blockchain infrastructure.
What’s New in This Campaign
While malicious npm downloaders appear regularly, these typically contain URLs or scripts embedded in the package itself.
In contrast, colortoolsv2 and mimelib2 leveraged Ethereum smart contracts to store and deliver the URLs used for fetching the second-stage malware. This tactic made detection significantly harder, as the malicious infrastructure was hidden within the blockchain code rather than inside the package files.
“Downloaders are […] published weekly, [but] this use of smart contracts to load malicious commands is something we haven’t seen previously,” RL researchers said.
“It highlights the fast evolution of detection evasion strategies by malicious actors who are trolling open source repositories and developers.”
Read more on smart contract abuse in cybersecurity: Supply Chain Attack Uses Smart Contracts for C2 Ops
GitHub Repositories Disguised as Trading Tools
ReversingLabs investigators also found that the npm packages were tied to a broader campaign across GitHub. Fake repositories, presented as cryptocurrency trading bots, appeared well-established with thousands of commits, multiple maintainers and active watchers.
However, much of this activity was fabricated. According to ReversingLabs, stars and watchers came from accounts created in July, each with minimal activity. Additionally, Puppet accounts acted as maintainers to inflate legitimacy, and forks and commits were used to create the illusion of popularity.
The most prominent example was a repository named “solana-trading-bot-v2,” which bundled the malicious npm package. Although it appeared to be a serious project, closer inspection revealed the network of fake accounts supporting it.
Growing Threats to Open Source
The discovery adds to a growing list of software supply chain attacks targeting crypto-focused developers.
According to ReversingLabs’s 2025 Software Supply Chain Security report, there were 23 such campaigns in 2024, including a compromise of the PyPI package ultralytics in December that delivered a coin miner.
These incidents highlight the evolving tactics of attackers exploiting both open-source repositories and blockchain technology. ReversingLabs researchers warned that developers must carefully vet libraries and maintainers, looking beyond surface metrics such as stars or downloads.
The report concluded that vigilance and stronger package assessment tools are essential to protecting digital assets and development environments.
