A novel technique utilizing Ethereum smart contracts was discovered in two npm packages to conceal malicious commands for installing downloader malware. The packages, colortoolsv2 and mimelib2, are part of a larger campaign targeting npm and GitHub. The attackers created sophisticated GitHub repositories with fake popularity metrics to lure developers. The campaign focused on cryptocurrency-related projects, using blockchain technology to evade detection. This incident highlights the evolving strategies of malicious actors in compromising open-source repositories and the need for developers to carefully assess third-party packages before implementation.