Rising Cyber Threats: Malicious npm Packages Using Ethereum Smart Contracts
Discovering New Malware on npm
Recent investigations by cybersecurity experts have uncovered two malicious packages lurking within the npm registry. These packages exploit smart contracts from the Ethereum blockchain, displaying a new trend where threat actors continually innovate in their methods of distributing malware. The research, shared by ReversingLabs’ Lucija Valentić, reveals a concerning approach where malware is stealthily deployed on compromised systems.
Details of the Malicious Packages
Both malicious packages were uploaded to npm in July 2025 and have since been removed from the registry. According to reports, these packages utilize smart contracts to hide malicious commands designed to install downloader malware on targeted systems. In essence, once these packages are integrated into a project, they can cause the system to fetch and execute a subsequent payload from a server controlled by attackers.
The Tactics Behind the Attack
While the packages themselves do not disguisedly present any malicious intent, the GitHub projects that import them take steps to appear legitimate. This deceptive layer is particularly troubling. When developers unknowingly include these packages in their projects, the inherent malicious functionality triggers, leading to the execution of harmful code.
A notable aspect of this campaign is the use of Ethereum smart contracts to stage URLs that host the malware payloads. This approach mirrors techniques like EtherHiding, indicating an evolution in tactics aimed at evading traditional detection methods.
Associated GitHub Repositories
Further analysis of these malicious packages reveals their integration into a network of GitHub repositories, notably related to a project dubbed "solana-trading-bot-v2." This specific repository claimed to offer real-time on-chain data to facilitate automated trading, ostensibly aiding developers and users in the cryptocurrency space. However, the GitHub account linked to this repository has since been deleted, highlighting the ephemeral nature of such malicious activities.
The Distribution-as-Service Model
Experts suspect that these malicious activities are linked to a broader campaign known as the Stargazers Ghost Network. This network comprises a series of fraudulent GitHub accounts that engage in behaviors like ‘starring,’ ‘forking,’ ‘watching,’ and committing to malicious repositories to artificially boost their visibility and credibility.
Among the various commits associated with these suspicious accounts is the importation of a package called colortoolsv2. Other repositories implicated in this wave of malware distribution include names like ethereum-mev-bot-v2, arbitrage-bot, and hyperliquid-trading-bot. The naming conventions suggest that the campaign is primarily targeting cryptocurrency developers, employing strategies that merge social engineering with deception.
Importance of Caution for Developers
Given these developments, cybersecurity experts emphasize the necessity for developers to meticulously evaluate each library they plan to incorporate into their projects. Valentić highlights the importance of a thorough review process that extends beyond superficial indicators such as download counts or the number of commits. It’s crucial for developers to delve deeper into both the packages and their maintainers to ensure that they are genuine and safe to use.
As threat actors continue to innovate their tactics, vigilance is essential for safeguarding the integrity of software development and the security of systems in the face of emerging cybersecurity threats.
