Two, new pieces of open source malware discovered on the npm package repository by ReversingLabs researchers in July employ a novel and creative technique for loading malware on compromised devices: smart contracts for the Ethereum blockchain. The two npm packages abused smart contracts to conceal malicious commands that installed downloader malware on compromised systems. The packages are colortoolsv2, published on July 7, and mimelib2, a nearly identical package that was published in late July. They are part of a larger and sophisticated campaign impacting both npm and GitHub. It is a campaign that has seen ... (full story)