Particle.news
Download on the App Store
7 ARTICLES
·
last wk.

Malicious npm Packages Tap Ethereum Smart Contracts for Stealthy C2

Researchers warn the on-chain command channel hinders takedowns by shifting indicators to immutable smart contracts.

Crypto hackers are now using ethereum smart contracts to mask malware payloads
Image
Image
Image

Overview

  • ReversingLabs identified two npm packages, colortoolsv2 and mimelib2, uploaded in July 2025 that queried Ethereum contracts to retrieve command-and-control URLs for second-stage downloaders, and both have been removed.
  • The packages were promoted through fabricated GitHub trading-bot projects such as solana-trading-bot-v2 that used sock-puppet stars, commits, and maintainers, with activity tied to the Stargazers Ghost Network.
  • Despite low adoption—colortoolsv2 saw 7 downloads and mimelib2 saw 1—the approach targets developers opportunistically and reduces obvious indicators in package code.
  • Multiple vendors published corroborating indicators of compromise, including Ethereum contract 0x1f117a1b07c108eae05a5bccbe86922d66227e2b and hosts 45.125.67.172 and 193.233.201.21, and Snyk and OSV now list the packages as malicious.
  • Defenders are advised to disable lifecycle scripts during installs using npm --ignore-scripts, pin versions with lockfiles, harden CI, and block or alert on the published IOCs and ethers.js contract queries.