ReversingLabs researchers discovered two npm packages (colortoolsv2 and mimelib2) that used Ethereum smart contracts to conceal C2 commands which downloaded second-stage malware, forming part of a larger supply-chain campaign that inflated GitHub popularity metrics to trick developers. The campaign employed fake GitHub accounts, automated commits, and replicated malicious packages across npm and GitHub to evade detection and distribute downloaders. #colortoolsv2 #mimelib2
Keypoints
- ReversingLabs found two malicious npm packages, colortoolsv2 (published July 7) and mimelib2 (published late July), that contained downloader malware.
- The packages used Ethereum smart contracts to host and deliver malicious commands/URLs that fetched second-stage payloads, a novel evasion technique.
- Both packages were part of a broader campaign spanning npm and GitHub that used social engineering and deception to lure developers.
- On GitHub, attackers created fake repositories and accounts, inflated stars/watchers, and automated thousands of commits to fabricate project legitimacy.
- Specific GitHub accounts (e.g., pasttimerles, slunfuedrac, mw3ha31q, cnaovalles) were identified performing commit inflation and inclusion of malicious npm dependencies.
- The campaign reused tactics seen previously (e.g., GitHub Gists, cloud storage) but innovated by leveraging blockchain smart contracts as public C2 hosts.
- ReversingLabs published IOCs (package names, SHA1 hashes, smart contract address, second-stage payload hash) and recommends thorough vetting of open-source packages and maintainers.
MITRE Techniques
- [T1608] Modify Open Source Software – Attackers published malicious npm packages (colortoolsv2, mimelib2) that included downloader scripts to infect projects that depend on them. Quote: ‘…index.js contained an obfuscated, malicious payload…fetching and executing a malicious command by loading the URL for a command and control (C2) server…’
- [T1105] Ingress Tool Transfer – The malicious packages fetched a second-stage payload from locations revealed by the smart contract to download and execute malware. Quote: ‘…that script would run: fetching and executing a malicious command by loading the URL for a command and control (C2) server that would then download second stage malware…’
- [T1195] Supply Chain Compromise – The campaign abused npm and GitHub repositories and manipulated repository metadata (stars, commits) to distribute malicious dependencies to developers. Quote: ‘…a much larger campaign that was spread across both npm and GitHub trying to lure developers into downloading repositories that included malicious npm packages.’
- [T1204] User Execution – The malicious code executed when developers included or used the npm packages in their projects, causing the downloader to run. Quote: ‘…Once the colortoolsv2 package was used or included in some other project, that script would run…’
- [T1102] Web Service – Attackers used Ethereum smart contracts (public blockchain-hosted code) to store and serve commands/URLs used by the downloader to obtain second-stage malware. Quote: ‘…use of Ethereum smart contracts to host the URLs where malicious commands are located downloading the second stage malware.’
Indicators of Compromise
- [Package name] Malicious npm packages – colortoolsv2 (versions 1.0.0, 1.0.1, 1.0.2), mimelib2 (versions 1.0.0, 1.0.1)
- [File hash: SHA1] Package and payload hashes – colortoolsv2 1.0.0: 678c20775ff86b014ae8d9869ce5c41ee06b6215; colortoolsv2 1.0.1: 1bb7b23f45ed80bce33a6b6e6bc4f99750d5a34b; and other package hashes
- [File hash: SHA1] Second-stage payload – 21d0eef8f457eb2a9f9fb2260dd2e391f009a21 (second stage payload)
- [Smart contract address] Blockchain C2 host – Ethereum contract 0x1f117a1b07c108eae05a5bccbe86922d66227e2b
- [GitHub accounts/repositories] Malicious GitHub infrastructure – fake repo solana-trading-bot-v2 and user accounts pasttimerles, slunfuedrac, mw3ha31q, cnaovalles used to inflate commits and include malicious packages
Read more: https://www.reversinglabs.com/blog/ethereum-contracts-malicious-code