Malicious npm Packages Leverage Ethereum Smart Contracts in Targeting Crypto Developers
July 2025 – Security researchers have uncovered a campaign distributing malicious npm packages designed to target cryptocurrency developers and users. The packages, which are no longer available for download after being uploaded in July 2025, utilize Ethereum smart contracts to obscure the URLs hosting malicious payloads – a tactic reminiscent of the previously observed ”EtherHiding” technique.
ReversingLabs identified the packages as part of a refined operation impacting both npm and GitHub, designed to trick developers into downloading and executing malicious code. While the packages themselves contain openly malicious functionality,the associated GitHub projects were crafted to appear legitimate.
onc incorporated into a project, the packages trigger the download and execution of a next-stage payload from a server controlled by the attackers. Investigation revealed the packages were referenced within a network of GitHub repositories falsely claiming to be a “solana-trading-bot-v2” designed for automated cryptocurrency trading. the GitHub account linked to these repositories is now unavailable.
Researchers assess these accounts are connected to a “distribution-as-service” (DaaS) operation known as the Stargazers Ghost Network, a collection of fake github accounts used to artificially inflate the popularity of malicious repositories through starring, forking, and committing. Repositories identified as distributing the npm package include “ethereum-mev-bot-v2,” “arbitrage-bot,” and “hyperliquid-trading-bot.”
“It is critical for developers to assess each library they are considering implementing before deciding to include it in their growth cycle,” stated Valentić of ReversingLabs. “and that means pulling back the covers on both open source packages and their maintainers: looking beyond raw numbers of maintainers, commits and downloads to assess whether a given package – and the developers behind it – are what they present themselves as.”
The campaign highlights the evolving tactics employed by threat actors to evade detection and underscores the importance of thorough vetting of open-source dependencies within the cryptocurrency development ecosystem.
