- Researchers found two harmful npm packages using Ethereum smart contracts to hide malicious activity.
- The packages installed downloader Malware and targeted developers on both npm and GitHub.
- Attackers used reputable-looking GitHub projects to trick users into downloading the malware.
- These actions are linked to a broader scheme known as Stargazers Ghost Network, which inflates the popularity of fake repositories.
- Experts advise thorough vetting of libraries and maintainers before including packages in projects.
Cybersecurity researchers have identified two malicious packages posted to the npm registry in July 2025. These packages used Ethereum blockchain smart contracts to carry out hidden attacks on affected systems. The packages focused on distributing malware and were designed to avoid detection by common security tools.
According to a report by ReversingLabs researcher Lucija Valentić, the npm packages contained commands that downloaded harmful software to the victim’s system. The packages were removed from npm and were also linked to a larger campaign targeting both npm and GitHub. The attackers made related GitHub projects appear legitimate to persuade developers to use them.
“The two npm packages abused smart contracts to conceal malicious commands that installed downloader malware on compromised systems,” Valentić said in a report. The campaign employed a technique similar to EtherHiding, where Ethereum smart contracts provided URLs for downloading the malware. This method helped attackers avoid detection, as the location of malicious files was not hardcoded in the package.
Further investigation revealed that these packages were referenced in several GitHub repositories, such as “solana-trading-bot-v2,” which promised automatic trading using real-time blockchain data. The main GitHub account connected to this repository has since been removed.
Researchers suggest the campaign is part of the Stargazers Ghost Network, a distribution-as-a-service setup. This group creates fake GitHub accounts to star, fork, and commit to harmful repositories, making them look popular and trustworthy. Other repositories involved include “ethereum-mev-bot-v2,” “arbitrage-bot,” and “hyperliquid-trading-bot.”
The naming and content of these repositories show that cryptocurrency developers and users were the main targets, using tactics like social engineering to spread malware. Valentić emphasized the importance for developers to check both the open-source packages and their maintainers carefully: “It is critical for developers to assess each library they are considering implementing before deciding to include it in their development cycle.”
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Alphabet Stock Soars 8% as DOJ Ruling Favors Google in Antitrust Case
- US Sanctions Chinese Firm & Crypto in Fentanyl Drug Trade Crackdown
- Gainzy Accidentally Rugs Own Token, $4.6M Cap Crashes 99%
- Grayscale Launches Ether Covered Call ETF to Generate Income
- Solana (SOL) Eyes $220 Breakout After Rally, Hits Key Resistance
