Hackers are using Ethereum smart contracts to conceal malware payloads inside seemingly benign npm packages, a tactic that turns the blockchain into a resilient command channel and complicates takedowns.
ReversingLabs detailed two npm packages, colortoolsv2 and mimelib2, that read a contract on Ethereum to fetch a URL for a second-stage downloader rather than hardcoding infrastructure in the package itself, a choice that reduces static indicators and leaves fewer clues in source code reviews.
The packages surfaced in July and were removed after disclosure. ReversingLabs traced their promotion to a network of GitHub repositories that posed as trading bots, including solana-trading-bot-v2, with fake stars, inflated commit histories, and sock-puppet maintainers, a social layer that steered developers toward the malicious dependency chain.
The downloads were low, but the method matters. Per The Hacker News, colortoolsv2 saw seven downloads and mimelib2 one, which still fits opportunistic developer targeting. Snyk and OSV now list both packages as malicious, providing quick checks for teams auditing historical builds.
History repeating itself
The on-chain command channel echoes a broader campaign that researchers tracked in late 2024 across hundreds of npm typosquats. In that wave, packages executed install or preinstall scripts that queried an Ethereum contract, retrieved a base URL, and then downloaded OS-specific payloads named node-win.exe, node-linux, or node-macos.
Checkmarx documented a core contract at 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b coupled with a wallet parameter 0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84, with observed infrastructure at 45.125.67.172:1337 and 193.233.201.21:3001, among others.
Phylum’s deobfuscation shows the ethers.js call to getString(address) on the same contract and logs the rotation of C2 addresses over time, a behavior that turns contract state into a movable pointer for malware retrieval. Socket independently mapped the typosquat flood and published matching IOCs, including the same contract and wallet, confirming cross-source consistency.
An old vulnerability continues to thrive
ReversingLabs frames the 2025 packages as a continuation in technique rather than scale, with the twist that the smart contract hosts the URL for the next stage, not the payload.
The GitHub distribution work, including bogus stargazers and chore commits, aims to pass casual due diligence and leverage automated dependency updates within clones of the fake repos.
The Crypto Investor Blueprint: A 5-Day Course On Bagholding, Insider Front-Runs, and Missing Alpha
The design resembles earlier use of third-party platforms for indirection, for example GitHub Gist or cloud storage, but on-chain storage adds immutability, public readability, and a neutral venue that defenders cannot easily take offline.
Per ReversingLabs, Concrete IOCs from these reports include the Ethereum contracts 0x1f117a1b07c108eae05a5bccbe86922d66227e2b linked to the July packages and the 2024 contract 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b, wallet 0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84, host patterns 45.125.67.172 and 193.233.201.21 with port 1337 or 3001, and platform payload names noted above.
Hashes for the 2025 second stage include 021d0eef8f457eb2a9f9fb2260dd2e391f009a21, and for the 2024 wave, Checkmarx lists Windows, Linux, and macOS SHA-256 values. ReversingLabs also published SHA-1s for each malicious npm version, which helps teams scan artifact stores for past exposure.
Protecting against the attack
For defense, the immediate control is to prevent lifecycle scripts from running during install and CI. npm documents the --ignore-scripts flag for npm ci and npm install, and teams can set it globally in .npmrc, then selectively allow necessary builds with a separate step.
The Node.js security best practices page advises the same approach, together with pinning versions via lockfiles and stricter review of maintainers and metadata.
Blocking outbound traffic to the IOCs above and alerting on build logs that initialize ethers.js to query getString(address) provide practical detections that align with the chain-based C2 design.
The packages are gone, the pattern remains, and on-chain indirection now sits alongside typosquats and bogus repos as a repeatable way to reach developer machines.
