Ethical Hacking News
Malicious npm packages have been discovered that exploit Ethereum smart contracts to target cryptocurrency developers, using a combination of social engineering and deception. According to ReversingLabs researcher Lucija Valentić, the two packages in question - colortoolsv2 and mimelib2 - were uploaded to npm in July 2025 and make use of smart contracts on the Ethereum blockchain to carry out malicious actions. This latest development highlights the importance of thoroughly assessing each library that is considered for implementation and the need for developers to stay vigilant in their pursuit of knowledge as the threat landscape continues to evolve.
Two malicious npm packages (colortoolsv2 and mimelib2) have been found to use Ethereum smart contracts to infect systems with downloader malware. The packages were uploaded to npm in July 2025 and only activated when used or included in other projects. The use of Ethereum smart contracts is a new tactic employed by threat actors to evade detection. A network of GitHub repositories, including Stargazers Ghost Network, have been found to reference the malicious packages and compromise cryptocurrency developers' systems. Cybersecurity experts emphasize the importance of thoroughly assessing each library before implementation.
The software supply chain has long been a vulnerable target for malicious actors seeking to compromise systems and steal sensitive data. In recent times, the rise of npm (Node Package Manager) has provided an unprecedented opportunity for threat actors to infiltrate this ecosystem. A new report by ReversingLabs has shed light on two particularly insidious examples of malicious npm packages that make use of smart contracts on the Ethereum blockchain.
According to Lucija Valentić, a researcher at ReversingLabs, these two packages - colortoolsv2 and mimelib2 - were uploaded to npm in July 2025 and have since been made available for download. However, beneath their innocuous names, these packages conceal malicious commands designed to install downloader malware on compromised systems.
It is worth noting that the GitHub projects that imported these packages took pains to make them look credible. Despite this, it was only once either of the malicious packages was used or included in some other project that its nefarious behavior kicked in, causing it to fetch and run a next-stage payload from an attacker-controlled server.
The use of Ethereum smart contracts to stage the URLs hosting the payload marks a new tactic employed by threat actors seeking to evade detection. This technique is reminiscent of EtherHiding, which has been used in the past to conceal malicious activity on the blockchain.
Further investigation into the packages has revealed that they are referenced in a network of GitHub repositories claiming to be solana-trading-bot-v2. These repositories leverage "real-time on-chain data to execute trades automatically, saving you time and effort." However, upon closer inspection, it is clear that these accounts are part of a distribution-as-service (DaaS) offering called Stargazers Ghost Network.
This network consists of a cluster of bogus GitHub accounts known to star, fork, watch, commit, and subscribe to malicious repositories. Included among the commits are source code changes that import colortoolsv2 - one of the two malicious npm packages in question.
The naming of these GitHub repositories suggests that cryptocurrency developers and users are the primary target of the campaign, employing a combination of social engineering and deception to compromise their systems.
In light of this latest development, cybersecurity experts have emphasized the importance of thoroughly assessing each library that is considered for implementation. This means looking beyond raw numbers of maintainers, commits, and downloads to assess whether a given package - as well as its developers behind it - are what they present themselves as.
As the threat landscape continues to evolve at an unprecedented rate, cybersecurity researchers must remain vigilant in their pursuit of knowledge. It is only through the sharing of information like this that we can hope to stay one step ahead of malicious actors and protect our systems from such nefarious activities.
Related Information:
https://www.ethicalhackingnews.com/articles/Malicious-npm-Packages-Exploit-Ethereum-Smart-Contracts-to-Target-Crypto-Developers-ehn.shtml
https://thehackernews.com/2025/09/malicious-npm-packages-exploit-ethereum.html
Published: Wed Sep 3 17:22:01 2025 by llama3.2 3B Q4_K_M
