Security researchers at ReversingLabs have uncovered a sophisticated campaign that uses Ethereum smart contracts to deliver malware through poisoned Node Package Manager (NPM) libraries. The finding highlights a new twist in supply-chain attacks that target developers by hiding malicious payloads in widely-used open-source code.
The firm identified two near-identical NPM packages, colortoolsv2 and mimelib2, which contained a downloader script that resolves a URL stored in an Ethereum smart contract and then fetches a second-stage malware payload. According to researcher Lucija Valentić, downloaders that fetch late-stage malware are published to the npm repository weekly or even daily — but embedding the delivery URL inside a blockchain smart contract is a novel escalation.
ReversingLabs says these two packages were part of a larger network of malicious repositories on GitHub. Many of the repositories were dressed up as crypto trading bots or token-sniping tools, complete with thousands of commits, stars and contributors—much of which the researchers believe was faked to create a false sense of trust.
Industry sources worry this technique strengthens attackers’ stealth. Pseudonymous on-chain investigator 0xToolman warned that many developers assume open-source projects are safe because they’re public, making supply-chain poisoning particularly dangerous.
Binance’s chief security officer, Jimmy Su, has previously linked package poisoning to North Korean state-backed groups such as Lazarus. Chainalysis estimated DPRK-associated actors were behind 61% of crypto losses in 2024, and law enforcement has tied major incidents — including the record Bybit theft — to those groups.
Why it matters: embedding delivery instructions in smart contracts complicates detection and remediation. Developers and firms should harden dependency screening, run automated supply-chain checks, and treat public packages with additional scrutiny. Exchanges and security teams are increasingly sharing threat intel to flag poisoned libraries rapidly.
Source: Decrypt. Read the original coverage for full details.