Particle.news
Download on the App Store
5 ARTICLES
·
34m ago

Malicious npm Packages Hid C2 in Ethereum Smart Contracts, Researchers Find

The disclosure points to a new evasion method that shifts malicious infrastructure into immutable blockchain code.

Crypto hackers are now using ethereum smart contracts to mask malware payloads
Image
Image
Image

Overview

  • ReversingLabs identified two npm packages, colortoolsv2 and mimelib2, uploaded in July 2025 with seven and one downloads respectively before their removal.
  • The packages functioned as downloaders that pulled a second-stage payload using URLs stored inside Ethereum smart contracts, a tactic reminiscent of EtherHiding.
  • The operation was tied to crypto-themed GitHub repositories posing as trading bots, including solana-trading-bot-v2, with fabricated commits, stars, and maintainers.
  • Some associated GitHub accounts or repositories are no longer available, and the promoting accounts are assessed to be linked to a DaaS cluster dubbed Stargazers Ghost Network.
  • ReversingLabs situates the incident within a rise in crypto-focused supply-chain campaigns and urges developers to vet packages and maintainers beyond stars, downloads, or contributor counts.