Colortoolsv2 and mimelib2 Ethereum-smart-contract downloader malware
Malware Activity
Summary
Hide ▲
Show ▼
The colortoolsv2 and mimelib2 npm packages were found delivering downloader malware through Ethereum smart contracts, creating a stealthier supply-chain threat for developers and downstream projects. Uploaded in July 2025, the packages were later removed from npm. Once used in another project, they fetched and ran a next-stage payload from an attacker-controlled server. The activity also overlapped with a broader npm and GitHub distribution effort aimed at crypto developers.
Related Happenings
Mini Shai-Hulud SAP-related npm supply-chain campaign
Campaign
First: 29.04.2026 19:26
Last: 29.04.2026 19:26
Sources 1
About this happening:
A new **Mini Shai-Hulud** supply-chain campaign is targeting **SAP-related npm packages**, putting **developer and CI/CD environments** at risk of credential theft and malicious p...
Mini Shai-Hulud SAP-related npm supply-chain campaign
CampaignAbout this happening: A new **Mini Shai-Hulud** supply-chain campaign is targeting **SAP-related npm packages**, putting **developer and CI/CD environments** at risk of credential theft and malicious p...
Latest development: 12.05.2026 11:50
Mini Shai-Hulud expands beyond the original SAP-related npm packages to compromise TanStack, UiPath, Mistral AI, OpenSearch, Guardrails AI, and DraftLab packages across npm and PyPI, with malicious payloads using router_init.js, GitHub Actions abuse, and exfiltration to filev2.getsession[.]org, api.masscan[.]cloud, or attacker-controlled GitHub repositories.
Famous Chollima PromptMink supply-chain campaign targeting Web3 developers
Campaign
First: 29.04.2026 17:43
Last: 29.04.2026 17:43
Sources 1
About this happening:
The **PromptMink** campaign is widening **Famous Chollima**'s supply-chain intrusion playbook by pushing **tainted npm packages** into developer environments and stealing secrets....
Famous Chollima PromptMink supply-chain campaign targeting Web3 developers
CampaignAbout this happening: The **PromptMink** campaign is widening **Famous Chollima**'s supply-chain intrusion playbook by pushing **tainted npm packages** into developer environments and stealing secrets....
Malicious npm packages @automagik/genie and pgserve self-propagating malware
Malware Activity
First: 24.04.2026 11:10
Last: 24.04.2026 11:10
Sources 1
About this happening:
**Malicious npm packages** are distributing **credential-stealing malware** that runs during installation and **self-propagates** across developer ecosystems, raising supply-chain...
Malicious npm packages @automagik/genie and pgserve self-propagating malware
Malware ActivityAbout this happening: **Malicious npm packages** are distributing **credential-stealing malware** that runs during installation and **self-propagates** across developer ecosystems, raising supply-chain...
UNC1069 Axios npm supply-chain campaign targeting build pipelines
Campaign
First: 01.04.2026 10:44
Last: 01.04.2026 10:44
Sources 1
About this happening:
The **Axios npm supply-chain compromise** has been tied to **UNC1069**, putting **npm consumers** and downstream **build pipelines** at risk from trojanized releases. Attackers se...
UNC1069 Axios npm supply-chain campaign targeting build pipelines
CampaignAbout this happening: The **Axios npm supply-chain compromise** has been tied to **UNC1069**, putting **npm consumers** and downstream **build pipelines** at risk from trojanized releases. Attackers se...
Latest development: 13.04.2026 20:39
OpenAI is revoking and rotating potentially exposed macOS code-signing certificates after a GitHub Actions workflow executed a compromised Axios package version 1.14.1 during a March 31, 2026 supply-chain attack. The workflow had access to certificates used to sign ChatGPT Desktop, Codex, Codex CLI, and Atlas, and OpenAI says it found no evidence that user data, systems, intellectual property, or the signing certificate were compromised.
Ghost campaign malicious npm supply-chain operation
Campaign
First: 24.03.2026 16:30
Last: 24.03.2026 16:30
Sources 1
About this happening:
A **malicious npm supply-chain campaign** dubbed **"Ghost campaign"** is using **fake installation logs** to conceal malware delivery, increasing the chance that package installer...
Ghost campaign malicious npm supply-chain operation
CampaignAbout this happening: A **malicious npm supply-chain campaign** dubbed **"Ghost campaign"** is using **fake installation logs** to conceal malware delivery, increasing the chance that package installer...
Timeline
-
03.09.2025 22:59 2 articles · 8mo ago
Malicious npm packages colortoolsv2 and mimelib2 use Ethereum smart contracts to deliver downloader malware to compromised systems
Initial DisclosureReversingLabs identified two malicious npm packages, colortoolsv2 and mimelib2, that abused Ethereum smart contracts to conceal commands and fetch a next-stage payload from an attacker-controlled server on compromised systems. The packages were tied to a broader npm and GitHub supply-chain campaign that used credible-looking repositories and appeared aimed at cryptocurrency developers and trading-bot projects.
Show sources
- Malicious npm Packages Exploit Ethereum Smart Contracts to Target Crypto Developers — thehackernews.com — 03.09.2025 22:59
- Malicious npm Packages Exploit Ethereum Smart Contracts to Target Crypto Developers — thehackernews.com — 03.09.2025 22:59