Bitcoin 
Ethereum 
Tether 
XRP 
BNB 
USDC 
Lido Staked Ether 
TRON 
Dogecoin 
Cardano 
Wrapped stETH 
Figure Heloc 
Wrapped Bitcoin 
Wrapped Beacon ETH 
Chainlink 
Hyperliquid 
Bitcoin Cash 
USDS 
Wrapped eETH 
Ethena USDe 
Binance Bridged USDT (BNB Smart Chain) 
Stellar 
LEO Token 
WETH 
WhiteBIT Coin 
Sui 
Coinbase Wrapped BTC 
Hedera 
Avalanche 
Zcash 
Litecoin 
Monero 
Shiba Inu 
Ethena Staked USDe 
Toncoin 
Dai 
USDT0 
Cronos 
Polkadot 
Mantle 
Bittensor 
MemeCore 
sUSDS 
Uniswap 
Aave 
World Liberty Financial 
USD1 
BlackRock USD Institutional Digital Liquidity Fund 
PayPal USD 
Bitget Token 
OKB 
Internet Computer 
NEAR Protocol 
Pepe 
Ethena 
Ethereum Classic 
Jito Staked SOL 
Binance-Peg WETH 
Falcon USD 
Jupiter Perpetuals Liquidity Provider Token 
Tether Gold 
Wrapped SOL 
Aptos 
Ondo 
Pi Network 
Aster 
USDtb 
POL (ex-MATIC) 
HTX DAO 
Worldcoin 
Dash 
KuCoin 
Rocket Pool ETH 
Provenance Blockchain 
Binance Staked SOL 
Arbitrum 
Official Trump 
Gate 
Algorand 
Pump.fun 
syrupUSDT 
Kelp DAO Restaked ETH 
PAX Gold 
StakeWise Staked ETH 
BFUSD 
Kinetiq Staked HYPE 
syrupUSDC 
Lombard Staked BTC 
Function FBTC 
Liquid Staked ETH 
Wrapped BNB 
VeChain 
Cosmos Hub 
Kaspa 
Story 
Sky 
Binance Bridged USDC (BNB Smart Chain) 
Jupiter 
Renzo Restaked ETH 
Flare 
Software security firm ReversingLabs has identified two open-source code packages that use Ethereum smart contracts to download malware. It forms part of a “sophisticated campaign” of malicious actors attempting to hack users via poisoned blockchain-related public code libraries—a vector of attack Binance has previously linked to North Korean hackers.
The two Node Package Manager (NPM) libraries, or packages, called colortoolsv2 and mimelib2, were effectively identical in that they contained two files, one of which would run a script that downloads the second half of the malware attack via an Ethereum smart contract. NPM packages are collections of reusable, open-source code that developers will frequently use.
Lucija Valentić, Software threat researcher at ReversingLabs, wrote that the use of smart contracts was “something we haven’t seen previously.”
⚠️ New RL threat research: 2 malicious #npm packages abuse #Ethereum smart contracts to load #malware on compromised devices. https://t.co/wzDRKfm2yh
— ReversingLabs (@ReversingLabs) September 3, 2025
“‘Downloaders’ that retrieve late-stage malware are being published to the npm repository weekly—if not daily,” she said. “What is new and different is the use of Ethereum smart contracts to host the URLs where malicious commands are located, downloading the second-stage malware.”
These two packages were just the tip of the iceberg, as ReversingLabs found a larger campaign of poisoned packages across GitHub. The security firm discovered a network of GitHub repositories that were connected to the aforementioned malicious package colortoolsv2. Most of the network was branded as crypto trading bots or token sniping tools.
“Even though the NPM package wasn’t very sophisticated, there was much more work put into making the repositories holding the malicious package look trustworthy,” Valentić said.
She explained in the report that some repositories had thousands of commits, a good number of stars, and a couple of contributors, which could lead a developer to trust it. But ReversingLabs believes that most of this activity was faked by the attackers.
“It is especially dangerous because programmers wouldn’t think it’d be an issue when they use publicly maintained codebases,” 0xToolman, a pseudonymous on-chain sleuth at Bubblemaps, told Decrypt. “It could be the assumption that open source equals public monitoring equals safety. It could be simply that one is unable to check every code he is using as he did not write it, and it would take so much time to do so.”
Binance links NPM poisoning to DPRK
Major centralized exchange Binance told Decrypt last month that it was aware of such attacks and forces employees to go through NPM libraries with a fine-tooth comb as a result.
Binance chief security officer, Jimmy Su, explained that package poisoning is a growing vector of attack for North Korean hackers, which he identified as the single biggest threat to crypto companies.
“The largest vector currently against the crypto industry is state actors, particularly in the DPRK, [with] Lazarus,” Su told Decrypt in August. “They’ve had a crypto focus in the last two, three years and have been quite successful in their endeavors.”
North Korean hackers are believed to have been responsible for 61% of all crypto stolen in 2024, a Chainalysis report revealed, which totalled $1.3 billion. Since then, the FBI has attributed North Korean attackers to the $1.4 billion Bybit hack, which is the largest crypto hack of all time.
While the main vector of attack that Su has noted is via fake employees, NPM package poisoning is in second place alongside fake interview scams. As such, major crypto exchanges share intelligence via Telegram and Signal groups so they can highlight poisoned libraries.
“We are mostly in this alliance on the frontline, so for the first responders, when [there are] hacks or [we need] incident response. We are always in this group, like with other exchanges, such as Coinbase, Kraken,” Su explained. “We’ve been in alliance with those exchanges for years now. There are more formal ones that are being formed today, but in terms of operating on the frontline. We’ve been doing that for years now.”
