Pirates use Ethereum intelligent contracts to hide the useful loads of malicious software inside the apparently mild NPM packages, a tactic that transforms the blockchain into a resilient control canal and complicates withdrawals.
Reversinglabs detailed two NPM packages, Colortoolsv2 And mimelib2This read a contract on Ethereum to recover a URL for a second step downloader rather than on the hard coding infrastructure in the package itself, a choice that reduces static indicators and leaves fewer indices in source code journals.
The packages surfaced in July and were removed after disclosure. Overthrow has retraced their promotion to a network of GitHub standards that pretended to be trading robots, including Solana-Trading-BOT-V2With false stars, swollen validation stories and pocket holders of socks, a social layer that led the developers to the chain of malicious dependence.
Downloads were low, but the method counts. According to The Hacker News, Colortoolsv2 seen seven downloads and mimelib2 One, which always adapts to the targeting of opportunistic developers. Snyk and OSV now list the two packages as malicious, providing quick checks for the Historical Versions Audit teams.
The story repeating
The chain chain echoes a wider campaign than researchers followed at the end of 2024 in hundreds of typosquates NPM. In this wave, the packages executed for installation or preinstalling scripts which interviewed an Ethereum contract, recovered a basic URL, then downloaded useful charges specific to the operating system called node-win.exe,, node-linuxOr node-macos.
Checkmarx documented a basic contract to 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b Coupled with a wallet parameter 0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84with infrastructure observed at 45.125.67.172:1337 And 193.233.201.21:3001among others.
The deoffuscation of phylum shows the ethers.js call getString(address) On the same contract and records the rotation of the C2 addresses over time, a behavior which transforms the state of the contract into a mobile pointer for the recovery of malware. Socket independently mapped the flood of typosquat and published corresponding IOCs, including the same contract and the same portfolio, confirming transversal consistency.
An old vulnerability continues to thrive
Overversinglabs frames the 2025 packages as a continuation of technique rather than scale, with the torsion that the intelligent contract hosts the URL for the next step, not the payload.
Github distribution work, including false stars and chore clerks, aim to pass the occasional reasonable diligence and to take advantage of the automated updates of dependence in the clones of false depositions.
Crypto investor plan: A 5-day course on the bag, initiate prevailing and missing alpha
The design resembles an earlier use of third-party platforms for indirection, for example GITHUB GIST or Cloud storage, but chain storage adds immutability, public readability and a neutral place that defenders cannot easily remove.
Conversely, the concrete IOCs of these reports include Ethereum contracts 0x1f117a1b07c108eae05a5bccbe86922d66227e2b linked to the packages of July and the 2024 contract 0xa1b40044EBc2794f207D45143Bd82a1B86156c6bwallet 0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84Host patterns 45.125.67.172 And 193.233.201.21 With port 1337 or 3001 and the user-load names of the platform noted above.
The hash for the second stage of 2025 include 021d0eef8f457eb2a9f9fb2260dd2e391f009a21And for wave values ​​2024, Checkmarx lists Windows, Linux and MacOS SHA-256 values. ReversingLabs also published the SHA-1 for each version of Malventy NPM, which helps teams to scan artifact stores for previous exhibition.
Attack against attack
For the defense, immediate control is to prevent the scripts of the life cycle from operating during installation and CI. NPM documents the --ignore-scripts excite npm ci And npm installAnd teams can settle it worldwide .npmrcThen selectively authorize the necessary versions with a separate step.
The Node.js Security Best Practices page advises the same approach, as well as the breaking versions via locking files and a stricter review of managers and metadata.
Block outgoing traffic to the IOC above and alert the construction newspapers that initialize ethers.js To question getString(address) Provide practical detections that line up on the C2 design based on the channel.
The packages have disappeared, the pattern remains, and the chain indirect is now located alongside typosquats and false rest as a reproducible means of reaching the developer’s machines.
