Hackers are using Ethereum smart contracts to conceal malware payloads inside seemingly benign npm packages, a tactic that turns the blockchain into a resilient command channel and complicates takedowns.
The packages surfaced in July and were removed after disclosure. ReversingLabs traced their promotion to a network of GitHub repositories that posed as trading bots, including solana-trading-bot-v2, with fake stars, inflated commit histories, and sock-puppet maintainers, a social layer that steered developers toward the malicious dependency chain.
The on-chain command channel echoes a broader campaign that researchers tracked in late 2024 across hundreds of npm typosquats. In that wave, packages executed install or preinstall scripts that queried an Ethereum contract, retrieved a base URL, and then downloaded OS-specific payloads named node-win.exe, node-linux, or node-macos.
ReversingLabs frames the 2025 packages as a continuation in technique rather than scale, with the twist that the smart contract hosts the URL for the next stage, not the payload.
The GitHub distribution work, including bogus stargazers and chore commits, aims to pass casual due diligence and leverage automated dependency updates within clones of the fake repos.
The design resembles earlier use of third-party platforms for indirection, for example GitHub Gist or cloud storage, but on-chain storage adds immutability, public readability, and a neutral venue that defenders cannot easily take offline.
Per ReversingLabs, Concrete IOCs from these reports include the Ethereum contracts 0x1f117a1b07c108eae05a5bccbe86922d66227e2b linked to the July packages and the 2024 contract 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b, wallet 0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84, host patterns 45.125.67.172 and 193.233.201.21 with port 1337 or 3001, and platform payload names noted above.
Hashes for the 2025 second stage include 021d0eef8f457eb2a9f9fb2260dd2e391f009a21, and for the 2024 wave, Checkmarx lists Windows, Linux, and macOS SHA-256 values. ReversingLabs also published SHA-1s for each malicious npm version, which helps teams scan artifact stores for past exposure.
For defense, the immediate control is to prevent lifecycle scripts from running during install and CI. npm documents the --ignore-scripts flag for npm ci and npm install, and teams can set it globally in .npmrc, then selectively allow necessary builds with a separate step.
The Node.js security best practices page advises the same approach, together with pinning versions via lockfiles and stricter review of maintainers and metadata.
The packages are gone, the pattern remains, and on-chain indirection now sits alongside typosquats and bogus repos as a repeatable way to reach developer machines.
