Cybersecurity researchers have uncovered a new wave of attacks targeting crypto developers through the npm package registry. In July 2025, two malicious packages, “colortoolsv2” and “mimelib2,” were uploaded to npm as part of a sophisticated campaign using social engineering and deception to trick unsuspecting developers. While these packages appeared legitimate, their true intent was to install downloader malware on any system that incorporated them.

What makes this campaign particularly notable is its innovative use of Ethereum smart contracts to conceal the command-and-control infrastructure. Instead of embedding malicious URLs or scripts directly in the package files, the attackers stored and delivered the URLs that fetch the second-stage malware within Ethereum smart contracts. This novel tactic makes detection much more challenging, as the malicious infrastructure is not visible in the package code but hidden on the blockchain.

Once “colortoolsv2” or “mimelib2” was used in a project, the malware would reach out to the attacker-controlled Ethereum smart contract, retrieve the payload URL, and download further malware from that address. This approach reflects a growing trend among cybercriminals to innovate and evade traditional detection by leveraging decentralized and hard-to-monitor platforms like the blockchain.

The incident serves as a serious warning for developers and organizations relying on open-source repositories. It highlights the need for vigilance, supply chain security practices, and careful vetting of third-party packages, especially in critical fields like cryptocurrency development. As threat actors continue adopting cutting-edge techniques, staying informed and proactive is essential to prevent compromise and protect sensitive assets.