Close Menu
Crypto Valley Journal
    Facebook X (Twitter) Instagram
    Crypto Valley Journal
    • Hot Topics
      • News
      • Minds
    • Focus
      • Background
      • Blockchain
      • Legal & Compliance
      • Non-Fungible Token (NFTs)
    • Investing
      • Markets
      • Financial Products
      • Decentralized Finance (DeFi)
      • Exchange overview
    • Education
      • Basics
      • Glossary
      • Politicians on crypto
    • Statistics
      • Bitcoin-ETF-Flows
      • Ethereum-ETF-Flows
      • Crypto market data
      • On-chain data
    • Academy
      • Overview
      • Part 1: Blockchain
      • Part 2: Money
      • Part 3: Bitcoin
      • Part 4: Cryptocurrencies
      • Part 5: Decentralized Finance
      • Part 6: Investing
    • English
      • Deutsch
    Crypto Valley Journal
    You are at:Home » Hot Topics » News » NPM malware leads to crypto losses
    NPM malware leads to crypto losses

    NPM malware leads to crypto losses

    By Editorial Office CVJ.CH on 9. September 2025 News

    Cybercriminals have developed two malicious npm packages - colortoolsv2 and mimelib2 - that target developer environments by using Ethereum blockchain smart contracts as a disguise mechanism. This sophisticated method enables the download of harmful software in an unexpected way.

    The npm packages, uploaded in July 2025, use Ethereum smart contracts to conceal the URLs for downloader malware. When used within a project, they fetch additional malware through these blockchain links. The campaign leveraged targeted GitHub repositories and manipulated popularity tactics to lure developers. Thanks to the rapid identification of the vulnerabilities, the overall damage remained limited, as Hackernews reported.

    Subscribe to our newsletter

    The best articles of the week, directly delivered into your mailbox.

    How did the attack work?

    As soon as one of the packages (colortoolsv2 or mimelib2) is integrated into a project, an obfuscated code activates a smart contract on the Ethereum blockchain that contains the address of the next malware download location. This method - known as “EtherHiding” - cleverly conceals the malicious command from traditional scans. The GitHub repositories using these packages posed as legitimate trading bot projects. Behind them was a network (Stargazers Ghost Network), whose fake accounts manipulated repository metrics to gain trust.

    These cyberattacks are carried out through so-called supply chain attacks: malicious packages are indirectly distributed via popular repositories. Developers should therefore carefully examine libraries before use - particularly their origin, maintainers, and code. Tools for analyzing dependencies, chains, and smart contract activity can provide critical protection here.

    Ray Dalio’s Bridgewater Associates Minds

    Star investor Ray Dalio considers Bitcoin inferior to gold

    Most crypto cards hide who issues them. After mapping the licensed issuers, here is why Switzerland's self-issuing model reads differently. Background

    The bank you never chose: who really issues Switzerland’s crypto cards

    Robinhood Perpetual Futures in Europe now cover commodities and currencies, and the broker plans a crypto launch in the United Kingdom. Financial Products

    Robinhood Perpetual Futures expand to commodities in Europe

    Digital finance transparency relies on Proof of Reserves, Merkle trees, MPC custody and 24/7 monitoring to verify solvency and user assets. Basics

    Transparency as the foundation of security in digital finance

    Ray Dalio’s Bridgewater Associates Minds

    Star investor Ray Dalio considers Bitcoin inferior to gold

    Most crypto cards hide who issues them. After mapping the licensed issuers, here is why Switzerland's self-issuing model reads differently. Background

    The bank you never chose: who really issues Switzerland’s crypto cards

    What does this mean for developers?

    The combination of the open-source ecosystem and blockchain technology makes this attack particularly dangerous. While classic supply chain attacks often rely on tampered libraries, the use of Ethereum smart contracts adds an extra layer of obfuscation. This makes it significantly harder for security tools to detect malicious activity at an early stage.

    Security researchers are therefore calling for stronger collaboration between platforms like npm, GitHub, and blockchain analysts. Only if malicious packages are reported and blocked more quickly - and their smart contract infrastructure uncovered - can the damage be contained. At the same time, experts urge developers to continuously monitor their dependencies and integrate automated scans into their CI/CD pipelines.

    Share. Facebook Twitter LinkedIn Email Telegram WhatsApp

    About the author

    Editorial Office CVJ.CH
    • Website
    • Twitter
    • LinkedIn

    Since 2018, the editorial team at Crypto Valley Journal has been reporting from Zug - the heart of Switzerland’s Crypto Valley - on Bitcoin, cryptocurrency, blockchain, and regulatory developments in digital assets. Behind the publication’s collective editorial voice is a team of writers with backgrounds in financial markets, law, and technology.

    Related Articles

    CVJ Weekly review

    Weekly review: 80mn bank customers in Germany gain access to crypto

    JPMorgan ranks Strategy's sales below the bigger Bitcoin risk and names tokenization beyond public chains as the real threat.

    JPMorgan sees biggest Bitcoin risk beyond Strategy

    AscendEX halted operations on 1 July over lost liquidity and a missing MiCA licence; users get no guarantee of a full payout.

    AscendEX halts operations: payouts uncertain

    CVJ Weekly review
    11. July 2026

    Weekly review: 80mn bank customers in Germany gain access to crypto

    The US banking regulator OCC grants Circle National Trust final approval to operate as a federal trust bank for digital assets.
    10. July 2026

    OCC grants Circle National Trust a bank license

    JPMorgan ranks Strategy's sales below the bigger Bitcoin risk and names tokenization beyond public chains as the real threat.
    10. July 2026

    JPMorgan sees biggest Bitcoin risk beyond Strategy

    twitter image button instagram image button linkedin image button youtube image button

    About Crypto Valley Journal
    About Crypto Valley Journal

    On the pulse of the movement

    • Academy
    • Contact
    • Advertising
    • About us
    • Partner
    • Imprint
    • Privacy
    • Disclaimer
    Search

    Type above and press Enter to search. Press Esc to cancel.