Ethical Hacking News
Threat actors have discovered a way to modify locally installed libraries through malicious npm packages, compromising users' systems and enabling attackers to launch reverse shell attacks. This development highlights the ongoing evolution of software supply chain attacks and underscores the need for vigilant security practices and adherence to established best practices.
Malicious npm packages have been identified that can modify locally installed libraries, compromising users' systems and enabling attackers to launch sophisticated reverse shell attacks.The affected package, ethers-provider2, was downloaded 73 times since its publication on March 15, 2025, while the second package, ethers-providerz, failed to attract any downloads.Both packages were trojanized versions of legitimate npm packages, including the widely-used ssh2.The malicious payload within install.js would retrieve a second-stage malware from a remote server, write it to a temporary file, and run it immediately after execution.The persistence of attackers is attributed to the malicious modifications being made locally post-installation, rather than within the official ethers package on the npm registry.Developers and users must carefully scrutinize packages from open-source repositories before downloading and using them.
Cybersecurity researchers have made a chilling discovery that sheds light on the evolving tactics of threat actors targeting the open-source ecosystem. According to recent findings, malicious npm packages have been identified that can modify locally installed libraries, compromising users' systems and enabling attackers to launch sophisticated reverse shell attacks.
The discovery highlights the continued evolution of software supply chain attacks, where threat actors attempt to infect other packages through manipulation of popular libraries. The affected package, ethers-provider2, was downloaded 73 times since its publication on March 15, 2025, while the second package, ethers-providerz, failed to attract any downloads.
ReversingLabs researcher Lucija Valentić revealed that both packages were trojanized versions of legitimate npm packages, including the widely-used ssh2. The malicious payload within install.js would retrieve a second-stage malware from a remote server, write it to a temporary file, and run it immediately after execution. This initial step was followed by an attempt to patch the legitimate npm package ethers with a counterfeit version that packed additional code to fetch and execute a third-stage payload.
The newly downloaded payload functions as a reverse shell to connect to the threat actor's server over SSH. Even if the compromised system is reinstalled, the client will still be used under certain circumstances, providing a degree of persistence for attackers. This persistence is attributed to the malicious modifications being made locally post-installation, rather than within the official ethers package on the npm registry.
The affected packages are not isolated incidents; they represent a novel escalation of threat actors' tactics in targeting developer systems. The researchers emphasized that despite low download numbers, these packages are powerful and malicious. They will corrupt the locally installed package ethers and maintain persistence on compromised systems even if that package is removed.
This discovery serves as a stark reminder to developers and users alike to carefully scrutinize packages from open-source repositories before downloading and using them. The threat actors' continued exploitation of vulnerabilities in popular libraries underscores the need for vigilant security practices and adherence to established best practices.
In this context, it is essential to understand the evolving nature of malware attacks and their increasing sophistication. The attack vector employed by the malicious npm packages highlights the challenges posed by software supply chain attacks and the importance of monitoring and updating software packages regularly.
Moreover, this incident illustrates the growing concern surrounding the open-source ecosystem's vulnerabilities and the need for improved security measures. It also underscores the importance of collaboration between researchers, developers, and security experts in identifying and mitigating such threats.
In conclusion, this discovery represents a significant development in the ongoing cat-and-mouse game between threat actors and cybersecurity professionals. By understanding the tactics employed by these malicious actors, we can better equip ourselves to address the evolving threats and safeguard our systems against sophisticated malware attacks.
Threat actors have discovered a way to modify locally installed libraries through malicious npm packages, compromising users' systems and enabling attackers to launch reverse shell attacks. This development highlights the ongoing evolution of software supply chain attacks and underscores the need for vigilant security practices and adherence to established best practices.
Related Information:
https://www.ethicalhackingnews.com/articles/Threat-Actors-Leverage-Open-Source-Ecosystem-Vulnerabilities-to-Launch-Sophisticated-Malware-Attacks-ehn.shtml
https://thehackernews.com/2025/03/malicious-npm-package-modifies-local.html
https://securityboulevard.com/2025/03/malware-found-on-npm-infecting-local-package-with-reverse-shell/
https://www.reversinglabs.com/blog/the-week-in-security-apt-attacking-ukraine-in-cahoots-with-russians-impact-of-ai-generated-software
https://www.reversinglabs.com/blog/the-week-in-security-north-korean-apt-targets-developers-barbie-cybercrime
Published: Wed Mar 26 08:35:15 2025 by llama3.2 3B Q4_K_M
