Cybersecurity researchers have discovered two new malicious packages on the npm registry that make use of smart contracts for the Ethereum blockchain to carry out malicious actions on compromised systems, signaling the trend of threat actors constantly on the lookout for new ways to distribute malware and fly under the radar.
"The two npm packages abused smart contracts to conceal malicious commands that installed downloader malware on compromised systems," ReversingLabs researcher Lucija Valentić said in a report shared with The Hacker News.
The packages, both uploaded to npm in July 2025 and no longer available for download, are listed below -
- colortoolsv2 (7 downloads)
- mimelib2 (1 download)
The software supply chain security firm said the libraries are part of a larger and sophisticated campaign impacting both npm and GitHub, tricking unsuspecting developers into downloading and running them.
While the packages themselves make no effort to conceal their malicious functionality, ReversingLabs noted that the GitHub projects that imported these packages took pains to make them look credible.
As for the packages themselves, the nefarious behavior kicks in once either of them is used or included in some other project, causing it to fetch and run a next-stage payload from an attacker-controlled server.
Although this is par for the course when it comes to malware downloaders, where it stands apart is the use of Ethereum smart contracts to stage the URLs hosting the payload – a technique reminiscent of EtherHiding. The shift underscores the new tactics that threat actors are adopting to evade detection.
Further investigation into the packages has revealed that they are referenced in a network of GitHub repositories claiming to be a solana-trading-bot-v2 that leverages "real-time on-chain data to execute trades automatically, saving you time and effort." The GitHub account associated with the repository is no longer available.
It's assessed that these accounts are part of a distribution-as-service (DaaS) offering called Stargazers Ghost Network, which refers to a cluster of bogus GitHub accounts that are known to star, fork, watch, commit, and subscribe to malicious repositories to artificially inflate their popularity.
Included among those commits are source code changes to import colortoolsv2. Some of the other repositories caught pushing the npm package are ethereum-mev-bot-v2, arbitrage-bot, and hyperliquid-trading-bot.
The naming of these GitHub repositories suggests that the cryptocurrency developers and users are the primary target of the campaign, using a combination of social engineering and deception.
"It is critical for developers to assess each library they are considering implementing before deciding to include it in their development cycle," Valentić said. "And that means pulling back the covers on both open source packages and their maintainers: looking beyond raw numbers of maintainers, commits and downloads to assess whether a given package - and the developers behind it - are what they present themselves as."
