Ethereum smart contracts used to push malicious code on npm

Sept. 4, 2025, 8:18 a.m.

Description

A novel technique utilizing Ethereum smart contracts was discovered in two npm packages to conceal malicious commands for installing downloader malware. The packages, colortoolsv2 and mimelib2, are part of a larger campaign targeting npm and GitHub. The attackers created sophisticated GitHub repositories with fake popularity metrics to lure developers. The campaign focused on cryptocurrency-related projects, using blockchain technology to evade detection. This incident highlights the evolving strategies of malicious actors in compromising open-source repositories and the need for developers to carefully assess third-party packages before implementation.

External References

https://www.reversinglabs.com/blog/ethereum-contracts-malicious-code
https://otx.alienvault.com/pulse/68b8e461fef64a908f432843
Tags
social engineering
cryptocurrency
npm
supply chain attack
ethereum
2025-09-04
smart contracts
colortoolsv2
mimelib2

Date

  • Created: Sept. 4, 2025, 12:59 a.m.
  • Published: Sept. 4, 2025, 12:59 a.m.
  • Modified: Sept. 4, 2025, 8:18 a.m.

Attack Patterns

  • mimelib2
  • colortoolsv2