Ethical Hacking News
A new security threat has emerged in the form of two malicious packages on npm, which can inject a persistent reverse shell backdoor into legitimate local packages. Despite the limited impact of this attack, it highlights the importance of ongoing security monitoring and vigilance when using open-source software.
Two malicious packages, "ethers-provider2" and "ethers-providerz", have been discovered on npm, targeting Node package manager (npm), with a persistent reverse shell backdoor. The discovery was made by researchers at Reversing Labs during routine security investigations on the open-source supply chain. The malicious code is embedded in the "install.js" script of the "ethers-provider2" package, which downloads a second-stage payload from an external source. Even if "ethers-provider2" is uninstalled, the backdoor on the ethers package won't be removed, and so the legitimate package remains infected. The researchers have included a YARA rule to detect known malware associated with this campaign, urging developers to use it to scan their environments for remnant threats.
A recent security threat has emerged in the open-source community, targeting the Node package manager (npm). Two malicious packages, "ethers-provider2" and "ethers-providerz," have been discovered on npm, which covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor. This attack is particularly concerning because even if the victim removes the malicious packages, the backdoor remains on their system.
The discovery of these malicious packages was made by researchers at Reversing Labs during routine security investigations on the open-source supply chain. The team warned about the risk it entails, even if the packages weren't downloaded in large numbers. According to Reversing Labs, "it's not unusual to encounter downloaders on npm; they are maybe not as common as infostealers, but they are far from uncommon."
The malicious code is embedded in the "install.js" script of the "ethers-provider2" package, which downloads a second-stage payload from an external source. This payload is executed and then deleted when finished to wipe all traces. The first stage monitors for the legitimate "ethers" package and once it finds it, it replaces the legitimate "provider-jsonrpc.js" file with a trojanized version.
The injected file now fetches a third-stage payload from the remote host, which enables a reverse shell using a modified SSH client, mimicking the legitimate SSH2 client behavior. What makes this attack so dangerous is that even if "ethers-provider2" is uninstalled, the backdoor on the ethers package won't be removed, and so the legitimate package remains infected.
The "ethers-providerz" package features similar behavior but targets the "@ethersproject/providers" package instead. Its ultimate goal based on code analysis is also to patch the target package with a reverse shell that points to the same malicious IP address (5[.]199[.]166[.]1:31337). Reversing Labs reports that early versions of this package had path errors, which prevented it from working as intended. The author has removed it from npm and may plan to reintroduce it after fixing those errors.
The researchers also mentioned two more packages, namely "reproduction-hardhat" and "@theoretical123/providers," that appear to be linked to the same campaign. Reversing Labs has included a YARA rule to detect known malware associated with this campaign, so developers should use it to scan their environments for remnant threats.
In general, when downloading packages from package indexes like PyPI and npm, it is recommended to double-check their legitimacy (and that of their publisher) and examine their code for signs of risk, such as obfuscated code and calls to external servers.
The discovery of this malicious attack highlights the importance of ongoing security monitoring and the need for developers to be vigilant when using open-source packages. It also underscores the potential risks associated with downloading third-party software, even from reputable sources like npm.
As the use of open-source software continues to grow, it is essential that we remain proactive in identifying and mitigating these types of threats. By staying informed about emerging security issues and taking steps to protect ourselves against them, we can reduce our risk exposure and ensure a safer online environment for everyone.
In conclusion, the recent npm attack serves as a stark reminder of the importance of cybersecurity awareness and best practices. It is crucial that developers and users alike remain vigilant when interacting with open-source software and take proactive measures to safeguard themselves against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/New-npm-Attack-A-Poisoned-Package-Crisis-ehn.shtml
https://www.bleepingcomputer.com/news/security/new-npm-attack-poisons-local-packages-with-backdoors/
https://thehackernews.com/2025/03/malicious-npm-package-modifies-local.html
Published: Wed Mar 26 08:20:41 2025 by llama3.2 3B Q4_K_M
