Cybersecurity researchers have uncovered a new wave of attacks targeting crypto developers through the npm package registry. In July 2025, two malicious packages, „colortoolsv2“ and „mimelib2,“ were uploaded to npm as part of a sophisticated campaign using social engineering and deception to trick unsuspecting developers. While these packages appeared legitimate, their true intent was to install downloader malware on any system that incorporated them.<\/p>\n
What makes this campaign particularly notable is its innovative use of Ethereum smart contracts to conceal the command-and-control infrastructure. Instead of embedding malicious URLs or scripts directly in the package files, the attackers stored and delivered the URLs that fetch the second-stage malware within Ethereum smart contracts. This novel tactic makes detection much more challenging, as the malicious infrastructure is not visible in the package code but hidden on the blockchain.<\/p>\n
Once „colortoolsv2“ or „mimelib2“ was used in a project, the malware would reach out to the attacker-controlled Ethereum smart contract, retrieve the payload URL, and download further malware from that address. This approach reflects a growing trend among cybercriminals to innovate and evade traditional detection by leveraging decentralized and hard-to-monitor platforms like the blockchain.<\/p>\n
The incident serves as a serious warning for developers and organizations relying on open-source repositories. It highlights the need for vigilance, supply chain security practices, and careful vetting of third-party packages, especially in critical fields like cryptocurrency development. As threat actors continue adopting cutting-edge techniques, staying informed and proactive is essential to prevent compromise and protect sensitive assets.<\/p>\n","protected":false},"excerpt":{"rendered":"
Cybersecurity researchers have uncovered a new wave of attacks targeting crypto developers through the npm package registry. In July 2025, two malicious packages, „colortoolsv2“ and „mimelib2,“ were uploaded to npm as part of a sophisticated campaign using social engineering and deception to trick unsuspecting developers. While these packages appeared legitimate, their true intent was to […]<\/p>\n","protected":false},"author":1,"featured_media":2876,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-2877","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"translation":{"provider":"WPGlobus","version":"3.0.0","language":"de","enabled_languages":["en","de","ja","vi","ms"],"languages":{"en":{"title":true,"content":true,"excerpt":false},"de":{"title":false,"content":false,"excerpt":false},"ja":{"title":false,"content":false,"excerpt":false},"vi":{"title":false,"content":false,"excerpt":false},"ms":{"title":false,"content":false,"excerpt":false}}},"rttpg_featured_image_url":{"full":["https:\/\/cryptoenewshub.com\/wp-content\/uploads\/2025\/09\/2025-09-04T090001.9580700.webp",728,380,false],"landscape":["https:\/\/cryptoenewshub.com\/wp-content\/uploads\/2025\/09\/2025-09-04T090001.9580700.webp",728,380,false],"portraits":["https:\/\/cryptoenewshub.com\/wp-content\/uploads\/2025\/09\/2025-09-04T090001.9580700.webp",728,380,false],"thumbnail":["https:\/\/cryptoenewshub.com\/wp-content\/uploads\/2025\/09\/2025-09-04T090001.9580700-150x150.webp",150,150,true],"medium":["https:\/\/cryptoenewshub.com\/wp-content\/uploads\/2025\/09\/2025-09-04T090001.9580700-300x157.webp",300,157,true],"large":["https:\/\/cryptoenewshub.com\/wp-content\/uploads\/2025\/09\/2025-09-04T090001.9580700.webp",728,380,false],"1536x1536":["https:\/\/cryptoenewshub.com\/wp-content\/uploads\/2025\/09\/2025-09-04T090001.9580700.webp",728,380,false],"2048x2048":["https:\/\/cryptoenewshub.com\/wp-content\/uploads\/2025\/09\/2025-09-04T090001.9580700.webp",728,380,false],"blog-thumb":["https:\/\/cryptoenewshub.com\/wp-content\/uploads\/2025\/09\/2025-09-04T090001.9580700-530x250.webp",530,250,true],"blog-full":["https:\/\/cryptoenewshub.com\/wp-content\/uploads\/2025\/09\/2025-09-04T090001.9580700.webp",728,380,false]},"rttpg_author":{"display_name":"tranhuynhmy@proton.me","author_link":"https:\/\/cryptoenewshub.com\/de\/author\/tranhuynhmyproton-me\/"},"rttpg_comment":0,"rttpg_category":"News<\/a>","rttpg_excerpt":"Cybersecurity researchers have uncovered a new wave of attacks targeting crypto developers through the npm package registry. In July 2025, two malicious packages, „colortoolsv2“ and „mimelib2,“ were uploaded to npm as part of a sophisticated campaign using social engineering and deception to trick unsuspecting developers. While these packages appeared legitimate, their true intent was to…","_links":{"self":[{"href":"https:\/\/cryptoenewshub.com\/de\/wp-json\/wp\/v2\/posts\/2877","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cryptoenewshub.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cryptoenewshub.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cryptoenewshub.com\/de\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cryptoenewshub.com\/de\/wp-json\/wp\/v2\/comments?post=2877"}],"version-history":[{"count":1,"href":"https:\/\/cryptoenewshub.com\/de\/wp-json\/wp\/v2\/posts\/2877\/revisions"}],"predecessor-version":[{"id":2878,"href":"https:\/\/cryptoenewshub.com\/de\/wp-json\/wp\/v2\/posts\/2877\/revisions\/2878"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cryptoenewshub.com\/de\/wp-json\/wp\/v2\/media\/2876"}],"wp:attachment":[{"href":"https:\/\/cryptoenewshub.com\/de\/wp-json\/wp\/v2\/media?parent=2877"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cryptoenewshub.com\/de\/wp-json\/wp\/v2\/categories?post=2877"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cryptoenewshub.com\/de\/wp-json\/wp\/v2\/tags?post=2877"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}