Crypto Developers Targeted by Malicious npm Packages Using Ethereum Smart Contracts

Cybersecurity researchers have uncovered a sophisticated attack campaign targeting cryptocurrency developers through malicious packages on the npm registry. These packages, disguised within seemingly legitimate GitHub projects, leveraged Ethereum smart contracts to conceal and deliver malware, highlighting a growing trend of threat actors exploiting blockchain technology for malicious purposes.

Key Takeaways

• Two malicious npm packages, colortoolsv2 and mimelib2, were discovered and have since been removed from the registry.

• These packages used Ethereum smart contracts to hide the URLs of malicious payloads, a technique reminiscent of EtherHiding.

• The campaign appears to be part of a larger distribution-as-a-service (DaaS) offering known as the Stargazers Ghost Network, which artificially inflates the popularity of malicious repositories on GitHub.

• The targeting of cryptocurrency developers is evident through the naming of associated GitHub repositories, such as solana-trading-bot-v2 and ethereum-mev-bot-v2.

Sophisticated Distribution Method

Researchers from ReversingLabs identified two npm packages, and , which were uploaded in July 2025. While the packages themselves did not hide their malicious intent, the associated GitHub projects went to great lengths to appear credible. Once integrated into a developer's project, these packages would fetch and execute a next-stage payload from an attacker-controlled server.

What sets this campaign apart is the innovative use of Ethereum smart contracts to host the URLs for these malicious payloads. This method allows threat actors to obscure the command-and-control infrastructure, making it more difficult for security researchers to detect and block the malware distribution.

Targeting Cryptocurrency Developers

Further investigation revealed that these malicious npm packages were referenced in a network of GitHub repositories that promoted themselves as cryptocurrency trading bots, such as . These repositories claimed to use real-time on-chain data for automated trading. The associated GitHub accounts have since been taken down.

It is believed that these accounts are part of the Stargazers Ghost Network, a service that uses fake GitHub accounts to artificially boost the visibility of malicious repositories by starring, forking, and committing to them. Source code changes were found importing the package into repositories like , , and .

Developer Vigilance is Crucial

This campaign underscores the critical need for developers to exercise extreme caution when incorporating third-party libraries into their projects. Cybersecurity experts advise developers to thoroughly vet any package before integration, looking beyond download counts and commit activity to assess the credibility of the package and its maintainers. Understanding the true nature of open-source components is paramount in safeguarding against sophisticated software supply chain attacks.

Sources

• Malicious npm Packages Exploit Ethereum Smart Contracts to Target Crypto Developers, The Hacker News.