Cybersecurity researchers have discovered two malicious packages in the NPM registry. It is designed to infect other locally installed packages, highlighting the continuous evolution of software supply chain attacks targeting the open source ecosystem.
The packages in question are Ethers-Provider2 and Ethers-Providerz, the former has been downloaded 73 times since it was released on March 15, 2025. The second package, which was removed by the malware creators themselves, did not attract downloads.
“They were simple downloaders with malicious payloads cleverly hidden,” said Lucija Valentić, a researcher at ReversingLabs, in a report shared with Hacker News.
“The interesting part is in the second stage. This will “patch” the legitimate NPM package ether installed locally and have new files with malicious payloads. The patched file will ultimately provide a reverse shell. ”
This development marks a new escalation of threat actor tactics, as changes reside in common libraries and therefore does not compromise malicious features by uninstalling malformed packages. Additionally, if unsuspecting users remove the Ethers package when Ethers-Provider2 remains on the system, reinfection risks if the package is installed later again.
An analysis of Ethers-Provider2’s ReverSingLabs revealed that it is nothing more than a troilerized version of the widely used SSH2 NPM package, containing malicious payloads within install.js to retrieve two-stage malware from remote servers (“5.199.1666[.]1:31337/install “), write to a temporary file and run it.
As soon as you run, the temporary files are removed from the system to prevent the trace from leaving. The second stage payload begins an infinite loop in that part to check if NPM package ether is installed locally.
If the package already exists or is newly installed, it works by replacing one of the files named “Provider-jsonrpc.js” with a fake version stuffed into additional code to get and run the third stage from the same server. The newly downloaded payload acts as a reverse shell that connects to the threat actor’s server via SSH.
“This means that connection with this client will turn into a reverse shell when you receive a custom message from the server,” Valentić says. “Even if package Ethers-Provider2 is removed from the compromised system, the client will still be used under certain circumstances and will provide some persistence to the attacker.”
At this stage, please note that the official Ethers package in the NPM registry is intact as malicious changes are installed locally.
The second package, Ethers-Providerz, works in a similar way in that it tries to modify the files associated with a locally installed NPM package called “@Ethersproject/Providers”. The exact NPM package the library targeted is unknown, but the source code reference indicates that it could have been roader.js.
The findings help threat actors highlight novel ways to deliver and sustain malware in their developer systems, and it is essential that they be carefully scrutinized before downloading and using packages in open source repository.
“These packages are strong and malicious despite the low number of downloads,” Valentić said. “If their mission is successful, they will destroy the package ether installed locally and will maintain the sustainability of the compromised system, even if the package is removed.”
Source link
