Cybersecurity researchers have uncovered a novel malware distribution campaign that leverages Ethereum smart contracts to mask malicious activity within open-source JavaScript packages. Two compromised packages—colortoolsv2 and mimelib2—were uploaded to the npm registry in July 2025 and briefly available before being removed. Although they had only a handful of downloads, their sophistication and tactics signal a broader shift in attacker methodology.
According to ReversingLabs researcher Lucija Valentić, the packages contained code that triggered malicious activity only when integrated into other projects. Once executed, they fetched a second-stage payload from an attacker-controlled server. The standout technique, however, was the use of smart contracts on the Ethereum blockchain to dynamically stage the payload URLs—mirroring a technique seen in earlier threats like EtherHiding.
npm package colortoolsv2 being replaced with mimelib2. Source: reversinglabs.com.
What makes this campaign more insidious is its reliance on social engineering within open-source ecosystems. The packages were tied to a web of deceptive GitHub repositories masquerading as legitimate cryptocurrency trading bots—such as solana-trading-bot-v2, ethereum-mev-bot-v2, and hyperliquid-trading-bot. These repos claimed to offer automated, on-chain trading solutions, enticing developers in the crypto space to download and reuse the code.
Researchers believe the campaign is connected to a broader distribution-as-a-service (DaaS) operation dubbed the Stargazers Ghost Network. This network manipulates GitHub’s trust signals by creating fake accounts that star, fork, and commit to malicious repositories, artificially inflating their credibility and visibility.
The incident highlights a concerning trend in malware distribution: the abuse of decentralized technologies and open-source platforms to evade traditional detection mechanisms. While the packages themselves weren’t obfuscated, the broader infrastructure around them was carefully designed to appear trustworthy.
This discovery is a stark reminder for developers—especially those in the cryptocurrency and blockchain space—to thoroughly vet any open-source dependencies before integrating them into their projects. Beyond checking download counts or commit frequency, it’s critical to investigate the reputations of maintainers and the code’s behavior. As attackers evolve, so too must our vigilance in securing the software supply chain.
