Hackers are using Ethereum smart contracts to hide malicious code within npm packages, increasing the difficulty of detection and removal.

Executive Summary

Attackers are leveraging Ethereum smart contracts to conceal malicious code within npm packages, a tactic that increases the complexity of detection and removal. This campaign, uncovered by ReversingLabs in July 2025, highlights the evolving sophistication of software supply chain attacks targeting the crypto and fintech sectors.

The Event in Detail

In July 2025, ReversingLabs researchers discovered two malicious packages, colortoolsv2 and mimelib2, on the npm package repository. These packages employed Ethereum smart contracts to conceal malicious commands that installed downloader malware on compromised systems. Instead of directly embedding suspicious URLs, the malware queried Ethereum smart contracts to obtain command-and-control (C2) server addresses, a technique referred to as "EtherHiding." The colortoolsv2 package, for example, contained an obfuscated, malicious payload in its index.js script that fetched and executed malicious commands. The packages were reported to npm maintainers and subsequently removed.

Market Implications

This novel attack vector raises concerns about the security of open-source repositories and the potential for widespread compromise. As ReversingLabs researcher Lucija Valentić noted, >“What is new and different is the use of Ethereum smart contracts to host the URLs where malicious commands are located, downloading the second-stage malware. We have not seen this before, and it illustrates the rapid evolution of evasion strategies by malicious actors targeting open-source repositories and developers.”

This incident could lead to increased scrutiny of npm packages and smart contract security, potentially driving the adoption of new security protocols and auditing practices.

Broader Context

This attack is part of a broader campaign where threat actors created fake repositories disguised as cryptocurrency trading bots on GitHub. These repositories, such as solana-trading-bot-v2, featured thousands of fake commits and inflated star ratings to deceive developers. Cybersecurity firm Kaspersky also warned of similar campaigns on GitHub, where hackers create fraudulent projects containing remote access trojans (RATs) and info-stealers designed to steal cryptocurrency and login credentials. Web3 security incidents resulted in over $2.3 billion in cryptocurrency losses in 2024, highlighting the increasing financial incentive for these types of attacks. This incident underscores the need for continuous security validation and proactive security measures throughout the entire development lifecycle, rather than relying solely on reactive audits.