Ethereum, the backbone of crypto apps and DeFi projects, is increasingly being used as a tool for cyberattacks.
Researchers at ReversingLabs have found two npm packages that hid malicious commands inside Ethereum smart contracts, marking a new twist in software supply chain attacks.
Read on to know how this was carried out.
Simple Packages With Hidden Malwares
The two packages, colortoolsv2 and mimelib2, looked like harmless tools, but they secretly pulled in downloader malware. These packages are part of a broader, sophisticated campaign spreading across npm and GitHub.
In July, RL discovered colortoolsv2 using blockchain to deliver malware. It was quickly removed, but a near-identical package called mimelib2 soon appeared with the same malicious code.
Both npm packages were minimal and carried only the malware, while their GitHub repositories were made to look polished and reliable to fool developers.
Using Smart Contracts as a Stealth Tool
What makes this campaign stand out is how the attackers used Ethereum smart contracts to hide malicious URLs.
Colortoolsv2 appeared to be a basic npm package with only two files. Hidden inside was a script that downloaded additional malware from a command-and-control server. Usually, malware campaigns hardcode URLs into their code, which makes them easier to detect.
In this case, the URLs were stored inside Ethereum smart contracts, making it much harder to track and shut down the attack.
“That’s something we haven’t seen previously, and it highlights the fast evolution of detection evasion strategies by malicious actors who are trolling open source repositories and developers,” the researchers said.
Hackers Are Getting More Creative
This attack is part of a growing trend where hackers are finding new ways to deliver malware. In 2023, some Python packages hid malicious URLs inside GitHub Gists, and in 2022, a fake Tailwind CSS npm package stored malware links behind trusted platforms like Google Drive and OneDrive.
How GitHub Was Used as Trap
The attackers also built fake GitHub repositories to make their campaign more convincing.
Attackers set up fake repositories tied to the colortoolsv2 package, posing as crypto trading bots. These projects looked convincing, with thousands of commits, active contributors, and plenty of stars.
But the activity and popularity were faked to trick developers into downloading poisoned code.
This campaign didn’t stop with solana-trading-bot-v2. Other repos like ethereum-mev-bot-v2, arbitrage-bot, and hyperliquid-trading-bot also showed fake commits and activity, though less convincing.
Last year saw 23 campaigns where attackers planted malicious code in open-source repos, including the ultralytics PyPI crypto miner and an April 2025 malware attempt on local crypto tools.
For developers, this is a reminder to carefully vet open-source libraries. Stars, downloads, and activity do not guarantee trust. Both code and maintainers need to be thoroughly reviewed before integration.
