Cybersecurity researchers have discovered two new malicious packages on the NPM registry. This shows that it uses smart contracts from the Ethereum blockchain to perform malicious actions on compromised systems, distribute malware with constant vision for threat action trends, and fly under radar.
“The two NPM packages abuse smart contracts to hide malicious commands that installed downloader malware on compromised systems,” says Lucija Valentić, a researcher at ReversingLabs, in a report shared with Hacker News.
Both packages that were uploaded to NPM in July 2025 and no longer available for download are listed below –
The software supply chain security company said the library is part of a large, sophisticated campaign that affects both NPM and GitHub, downloading and running it to unsuspecting developers.
The packages themselves don’t make any effort to hide malicious features, but ReverSingLabs noted that they had a hard time making it seem reliable to GitHub projects that imported these packages.
As for the package itself, the package itself takes on whether one is used or included in another project, and then it starts and retrieves and runs the next stage payload from the attacker control server.
This is the use of Ethereum Smart Contracts to stage the URL hosting the payload, a technique reminiscent of ether hiding, although it is at the face value of the course when it comes to malware downloaders. This shift highlights the new tactics threat actors are employing to avoid detection.
Further investigation into the package revealed that they are “referenced in a network of GitHub repositories that claim to be bot V2 trading Solana that utilizes ‘real-time on-chain data’ to automatically run real-time on-chain data and save time and effort. The GitHub account associated with the repository is no longer available.
These accounts are rated as part of a Distribution as a Service (DAAS) called the Stargazers Ghost Network. This refers to a cluster of fake Github accounts known to inflate popularity with stars, folk, surveillance, commit and subscribe.
These commits contain source code changes to import colortoolsv2. Some of the other repositories that are pressing the NPM package are Ethereum-Mev-bot-V2, Arbitrage-bot, and Hyperliquid-trading-bot.
The naming of these GitHub repositories uses a combination of social engineering and deception to suggest that cryptocurrency developers and users are the main targets of the campaign.
“It is important for developers to evaluate each library they are considering implementing before they decide to include it in their development cycle,” Valentić said. “That means pulling back the cover with both open source packages and their maintainers. You download it to assess whether a particular package and the developer behind it presents itself, beyond the raw number of maintainers.”
Source link
