A recent cybersecurity incident has revealed how attackers combined blockchain technology with traditional software repositories to execute a supply chain attack. According to research by ReversingLabs, the threat actors involved deployed rogue npm packages and manipulated GitHub repositories, using Ethereum smart contracts to conceal malware payloads. The campaign is believed to have primarily targeted developers and users in the cryptocurrency sector.
A Shift in Attack Techniques
The researchers highlighted that the incident reflected a growing sophistication in repository-based attacks. They noted that attackers were increasingly attempting to implant malicious code into legitimate applications, with the dual objectives of stealing sensitive development assets and exfiltrating digital resources.
The investigation showed that the attackers utilized Ethereum smart contracts to hide URLs containing secondary malware payloads. This tactic likely helped them evade detection from automated security tools that scan npm packages for suspicious links or commands.
Discovery of Rogue npm Packages
In July, ReversingLabs identified two malicious npm packages named colortoolsv2 and mimelib2. These were found to leverage Ethereum smart contracts for delivering malware. Interestingly, the packages did not make significant efforts to appear legitimate or attractive to developers, which is the usual approach in supply chain compromises. Instead, the researchers concluded that these packages were only one part of a broader coordinated scheme.
Both colortoolsv2 and mimelib2 contained only the files required to perform their malicious tasks. Their primary role was to act as dependencies for fake GitHub repositories that unsuspecting users were tricked into running. Once executed, these repositories would automatically download the rogue npm packages.
Fake GitHub Repositories Crafted to Deceive
The malicious GitHub projects were disguised as automated cryptocurrency trading bots. They appeared convincing by showcasing thousands of code commits, multiple stars, and numerous active contributors. However, deeper analysis revealed that the activity was fabricated.
The accounts behind the commits were sockpuppets, all created around the same period as the npm packages. The inflated activity gave the false impression of legitimacy. ReversingLabs discovered that most commits involved repetitive modifications to the project’s LICENSE file, while genuine changes were limited to code that executed and downloaded the rogue npm dependencies.
⚠️ New RL threat research: 2 malicious #npm packages abuse #Ethereum smart contracts to load #malware on compromised devices. https://t.co/wzDRKfm2yh
— ReversingLabs (@ReversingLabs) September 3, 2025
The researchers observed that the infrastructure used for these commits appeared automated, with thousands being added daily, signaling a well-orchestrated attempt to maintain the illusion of an active development community.
Use of Ethereum for Malware Delivery
The malicious npm packages included code that connected to the Ethereum blockchain. While such a feature might not immediately appear suspicious in a cryptocurrency-related library, its actual purpose was to retrieve hidden URLs stored in Ethereum smart contracts. These URLs then facilitated the download of malware payloads. Smart contracts, which are small programs executed automatically on the blockchain, were thus repurposed as a tool to distribute malicious links covertly.
Lessons for Developers
The campaign underscored the importance of rigorous due diligence when integrating open-source software into projects. Researchers stressed that developers should evaluate not just the raw statistics of a package—such as contributor counts, number of commits, or download volumes—but also verify the authenticity of maintainers and their contributions.
This case has been seen as a warning to the broader development community that supply chain threats are evolving rapidly. With attackers blending blockchain tools and repository manipulation, developers are urged to adopt a deeper level of scrutiny before incorporating third-party libraries into their workflows.
