Cybercriminals have developed two malicious npm packages - colortoolsv2 and mimelib2 - that target developer environments by using Ethereum blockchain smart contracts as a disguise mechanism. This sophisticated method enables the download of harmful software in an unexpected way.
The npm packages, uploaded in July 2025, use Ethereum smart contracts to conceal the URLs for downloader malware. When used within a project, they fetch additional malware through these blockchain links. The campaign leveraged targeted GitHub repositories and manipulated popularity tactics to lure developers. Thanks to the rapid identification of the vulnerabilities, the overall damage remained limited, as Hackernews reported.
Subscribe to our newsletter
The best articles of the week, directly delivered into your mailbox.
How did the attack work?
As soon as one of the packages (colortoolsv2 or mimelib2) is integrated into a project, an obfuscated code activates a smart contract on the Ethereum blockchain that contains the address of the next malware download location. This method - known as “EtherHiding” - cleverly conceals the malicious command from traditional scans. The GitHub repositories using these packages posed as legitimate trading bot projects. Behind them was a network (Stargazers Ghost Network), whose fake accounts manipulated repository metrics to gain trust.
These cyberattacks are carried out through so-called supply chain attacks: malicious packages are indirectly distributed via popular repositories. Developers should therefore carefully examine libraries before use - particularly their origin, maintainers, and code. Tools for analyzing dependencies, chains, and smart contract activity can provide critical protection here.
What does this mean for developers?
The combination of the open-source ecosystem and blockchain technology makes this attack particularly dangerous. While classic supply chain attacks often rely on tampered libraries, the use of Ethereum smart contracts adds an extra layer of obfuscation. This makes it significantly harder for security tools to detect malicious activity at an early stage.
Security researchers are therefore calling for stronger collaboration between platforms like npm, GitHub, and blockchain analysts. Only if malicious packages are reported and blocked more quickly - and their smart contract infrastructure uncovered - can the damage be contained. At the same time, experts urge developers to continuously monitor their dependencies and integrate automated scans into their CI/CD pipelines.
