Cyber security researchers have discovered two new malicious packages on the NPM registry that use smart contracts for atherium blockchain, indicating the trends of the actors in search of new ways to distribute malware and fly under the radar.
“Two NPM packages misbehaved to hide the malicious command to abuse smart contracts, which install downloader malware on the compromised system,” Riveringlabes researcher Luciza Valentioc to Riveringlabs Lucija Valentioc to a report shared with hacker news.
Packages uploaded to NPM in July 2025, and are no longer available for download, listed below –
The software supply chain security firm stated that the library is part of a large and sophisticated campaign that affects both NPM and Jethhab, causing them to cheat unheard developers in downloading and running them.
While the packages do not make any efforts to hide their malicious functionality, Riveringlabs said that Github projects importing these packages hurt to make them reliable.
In the form of packages, the nefarious behavior kicks at once at a time or is included in another project, causing it to bring and run the next step from an attacker-controlled server.
Although it is equal for the course when it comes to the downloaders of malware, where it is different, Ethereum is the use of smart contracts to stage the hosting URL – a technique reminds me of eathering. Shift has underlined the new strategy that is adopting the danger actors to find out.
Further investigation in the packages has revealed that they are referred to in a network of github repository, claiming to be a solana-trading-bot-V2 that takes advantage of “to automatically execute the real-time on-chain data, to save you time and effort”. Github account related to repository is no longer available.
It is evaluated that these accounts are part of the offer of a distribution-AS-Service (DAAS), called StarGazers Ghost Network, which refers to a cluster of bogus github accounts, which is known for the subscription of star, fork, watch, committed, and and malicious repository, which is known to enhance their popularity.
Those committees include, colortoolsv2 are source code changes to import. Some other repository atherium-mev-boat-V2, which pushed the NPM package are arbitraz-boat and hyperlicid-trading-boats.
The naming of these github repository suggests that cryptocurrency developers and user are the primary goals of the campaign using a combination of social engineering and deception.
“It is important for developers to assess each library that they are considering implementing it before deciding to include it in their development cycle,” said Valentioc. “And this means pulling back the cover on both the open source package and their maintenance: looking beyond the raw number, committeers, committees and downloads to assess whether a given package – and developers behind it – are what they present themselves.”
