{ "name": "Ethereum smart contracts used to push malicious code on npm", "slug": "ethereum-smart-contracts-used-to-push-malicious-code-on-npm", "description": "A novel technique utilizing Ethereum smart contracts was discovered in two npm packages to conceal malicious commands for installing downloader malware. The packages, colortoolsv2 and mimelib2, are part of a larger campaign targeting npm and GitHub. The attackers created sophisticated GitHub repositories with fake popularity metrics to lure developers. The campaign focused on cryptocurrency-related projects, using blockchain technology to evade detection. This incident highlights the evolving strategies of malicious actors in compromising open-source repositories and the need for developers to carefully assess third-party packages before implementation.", "published": "2025-09-03T22:59:13+00:00", "created_at": "2025-09-03T22:59:13+00:00", "modified_at": "2025-09-04T06:18:18+00:00", "created_at_opencti": "2025-09-03T22:59:13+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-09-04", "colortoolsv2", "cryptocurrency", "ethereum", "mimelib2", "npm", "smart contracts", "social engineering", "supply chain attack" ], "related_entities": { "malware": [ { "id": "legacy:malware:454cae564eef29e7", "name": "mimelib2", "slug": "mimelib2" }, { "id": "d6660ae9-af43-413a-a10e-ac6e5755de92", "name": "colortoolsv2", "slug": "colortoolsv2" } ], "attack_patterns": [ { "id": "6a146066-5a78-493c-a26a-133b62c1149e", "name": "T1588.002" }, { "id": "7e3e3784-9547-42ca-b888-482972d14be3", "name": "T1528" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2", "name": "T1059.007" }, { "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6", "name": "T1204.002" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" } ] }, "external_refs": [ "https://www.reversinglabs.com/blog/ethereum-contracts-malicious-code", "https://otx.alienvault.com/pulse/68b8e461fef64a908f432843" ] }