Ethereum, the backbone of crypto apps and DeFi projects, is increasingly being used as a tool for cyberattacks.
Researchers at ReversingLabs have found two npm packages that hid malicious commands inside Ethereum smart contracts, marking a new twist in software supply chain attacks.
Read on to know how this was carried out.
Simple Packages With Hidden Malwares
The two packages, colortoolsv2 and mimelib2, looked like harmless tools, but they secretly pulled in downloader malware. These packages are part of a broader, sophisticated campaign spreading across npm and GitHub.
In July, RL discovered colortoolsv2 using blockchain to deliver malware. It was quickly removed, but a near-identical package called mimelib2 soon appeared with the same malicious code.
Both npm packages were minimal and carried only the malware, while their GitHub repositories were made to look polished and reliable to f**l developers.
Using Smart Contracts as a Stealth Tool
What makes this campaign stand out is how the attackers used Ethereum smart contracts to hide malicious URLs.
Colortoolsv2 appeared to be a basic npm package with only two files. Hidden inside was a script that downloaded additional malware from a command-and-control server. Usually, malware campaigns hardcode URLs into their code, which makes them easier to detect.
In this case, the URLs were stored inside Ethereum smart contracts, making it much harder to track and shut down the attack.
“That’s something we haven’t seen previously, and it highlights the fast evolution of detection evasion strategies by malicious actors who are trolling open source repositories and developers,” the researchers said.
Hackers Are Getting More Creative
This attack is part of a growing trend where hackers are finding new ways to deliver malware. In 2023, some Python packages hid malicious URLs inside GitHub Gists, and in 2022, a fake Tailwind CSS npm package stored malware links behind trusted platforms like Google Drive and OneDrive.
How GitHub Was Used as Trap
The attackers also built fake GitHub repositories to make their campaign more convincing.
Attackers set up fake repositories tied to the colortoolsv2 package, posing as crypto trading bots. These projects looked convincing, with thousands of commits, active contributors, and plenty of stars.
But the activity and popularity were faked to trick developers into downloading poisoned code.
This campaign didn’t stop with solana-trading-bot-v2. Other repos like ethereum-mev-bot-v2, arbitrage-bot, and hyperliquid-trading-bot also showed fake commits and activity, though less convincing.
Last year saw 23 campaigns where attackers planted malicious code in open-source repos, including the ultralytics PyPI crypto miner and an April 2025 malware attempt on local crypto tools.
For developers, this is a reminder to carefully vet open-source libraries. Stars, downloads, and activity do not guarantee trust. Both code and maintainers need to be thoroughly reviewed before integration.
Earn more PRC tokens by sharing this post. Copy and paste the URL below and share to friends, when they click and visit Parrot Coin website you earn: https://parrotcoin.net0
PRC Comment Policy
Your comments MUST BE constructive with vivid and clear suggestion relating to the post.
Your comments MUST NOT be less than 5 words.
Do NOT in any way copy/duplicate or transmit another members comment and paste to earn. Members who indulge themselves copying and duplicating comments, their earnings would be wiped out totally as a warning and Account deactivated if the user continue the act.
Parrot Coin does not pay for exclamatory comments Such as hahaha, nice one, wow, congrats, lmao, lol, etc are strictly forbidden and disallowed. Kindly adhere to this rule.
Constructive REPLY to comments is allowed