Hackers are utilizing Ethereum sensible contracts to hide malware payloads inside seemingly benign npm packages, a tactic that turns the blockchain right into a resilient command channel and complicates takedowns.
ReversingLabs detailed two npm packages, colortoolsv2 and mimelib2, that learn a contract on Ethereum to fetch a URL for a second-stage downloader fairly than hardcoding infrastructure within the bundle itself, a selection that reduces static indicators and leaves fewer clues in supply code evaluations.
The packages surfaced in July and had been eliminated after disclosure. ReversingLabs traced their promotion to a community of GitHub repositories that posed as buying and selling bots, together with solana-trading-bot-v2, with pretend stars, inflated commit histories, and sock-puppet maintainers, a social layer that steered builders towards the malicious dependency chain.
The downloads had been low, however the methodology issues. Per The Hacker News, colortoolsv2 noticed seven downloads and mimelib2 one, which nonetheless suits opportunistic developer concentrating on. Snyk and OSV now record each packages as malicious, offering fast checks for groups auditing historic builds.
Historical past repeating itself
The on-chain command channel echoes a broader marketing campaign that researchers tracked in late 2024 throughout lots of of npm typosquats. In that wave, packages executed set up or preinstall scripts that queried an Ethereum contract, retrieved a base URL, after which downloaded OS-specific payloads named node-win.exe, node-linux, or node-macos.
Checkmarx documented a core contract at 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b coupled with a pockets parameter 0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84, with noticed infrastructure at 45.125.67.172:1337 and 193.233.201.21:3001, amongst others.
Phylum’s deobfuscation exhibits the ethers.js name to getString(handle) on the identical contract and logs the rotation of C2 addresses over time, a habits that turns contract state right into a movable pointer for malware retrieval. Socket independently mapped the typosquat flood and revealed matching IOCs, together with the identical contract and pockets, confirming cross-source consistency.
An outdated vulnerability continues to thrive
ReversingLabs frames the 2025 packages as a continuation in approach fairly than scale, with the twist that the sensible contract hosts the URL for the following stage, not the payload.
The GitHub distribution work, together with bogus stargazers and chore commits, goals to go informal due diligence and leverage automated dependency updates inside clones of the pretend repos.
The Crypto Investor Blueprint: A 5-Day Course On Bagholding, Insider Entrance-Runs, and Lacking Alpha
The design resembles earlier use of third-party platforms for indirection, for instance GitHub Gist or cloud storage, however on-chain storage provides immutability, public readability, and a impartial venue that defenders can not simply take offline.
Per ReversingLabs, Concrete IOCs from these experiences embody the Ethereum contracts 0x1f117a1b07c108eae05a5bccbe86922d66227e2b linked to the July packages and the 2024 contract 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b, pockets 0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84, host patterns 45.125.67.172 and 193.233.201.21 with port 1337 or 3001, and platform payload names famous above.
Hashes for the 2025 second stage embody 021d0eef8f457eb2a9f9fb2260dd2e391f009a21, and for the 2024 wave, Checkmarx lists Home windows, Linux, and macOS SHA-256 values. ReversingLabs additionally revealed SHA-1s for every malicious npm model, which helps groups scan artifact shops for previous publicity.
Defending in opposition to the assault
For protection, the fast management is to forestall lifecycle scripts from operating throughout set up and CI. npm paperwork the --ignore-scripts flag for npm ci and npm set up, and groups can set it globally in .npmrc, then selectively enable crucial builds with a separate step.
The Node.js safety finest practices web page advises the identical strategy, along with pinning variations through lockfiles and stricter assessment of maintainers and metadata.
Blocking outbound site visitors to the IOCs above and alerting on construct logs that initialize ethers.js to question getString(handle) present practical detections that align with the chain-based C2 design.
The packages are gone, the sample stays, and on-chain indirection now sits alongside typosquats and bogus repos as a repeatable solution to attain developer machines.
