Introduction
Cybersecurity researchers have uncovered two malicious packages on the npm registry, specifically designed to infect other locally installed packages. This discovery highlights the ongoing evolution of software supply chain attacks targeting the open-source ecosystem. These attacks underscore the growing threats developers face when using third-party packages, necessitating stringent security measures.
Discovery of Malicious Packages
The two identified packages, ethers-provider2 and ethers-providerz, represent a new method of attack. The former was downloaded 73 times since its publication on March 15, 2025, while the latter, likely removed by its creator, did not record any downloads. Despite their relatively low download numbers, their potential impact is severe.
According to ReversingLabs researcher Lucija Valentić, these packages acted as simple downloaders with hidden malicious payloads. Their primary function was to patch the legitimate npm package ethers, which is installed locally, by introducing a malicious file that ultimately facilitated a reverse shell. This method represents a significant escalation in cybercriminal tactics, as merely uninstalling the rogue packages does not remove the malicious alterations.
Technical Breakdown of the Attack
An analysis of ethers-provider2 revealed that it was a trojanized version of the widely used ssh2 npm package. Within its install.js script, the malware retrieved a second-stage payload from a remote server ("5.199.166[.]1:31337/install"), wrote it to a temporary file, and executed it. The file was then deleted to avoid detection. This second-stage payload continuously monitored the system to determine whether the ethers package was installed.
If ethers was present, the malware replaced a critical file, provider-jsonrpc.js, with a compromised version containing additional malicious code. This modification allowed the malware to download and execute a third-stage payload from the same remote server. The final payload established a reverse shell connection to the attacker’s server via SSH, granting unauthorized access to the infected system.
Even if ethers-provider2 was removed from the system, the altered ethers package remained compromised, allowing attackers to maintain persistent access under certain conditions. This persistence mechanism poses a serious risk to developers who unknowingly install or update the ethers package after its initial infection.
Persistence and Impact on Developer Systems
A similar behavior was observed in ethers-providerz, which targeted the @ethersproject/providers npm package. Although the exact modifications remain unclear, source code references suggest that it aimed to alter loader.js or other associated files.
These findings illustrate the increasingly sophisticated methods used by threat actors to infiltrate open-source projects. Unlike traditional malware that affects standalone software, supply chain attacks compromise the integrity of widely used dependencies, affecting multiple downstream projects and developers.
Security Implications and Mitigation Measures
Given the increasing prevalence of such attacks, developers must exercise caution when downloading and integrating npm packages. Key security measures include:
Verifying package authenticity by checking the publisher’s credibility and reviewing the package history.
Conducting security audits using tools like npm audit, Snyk, or ReversingLabs to detect anomalies.
Monitoring network activity to identify suspicious outbound connections that may indicate malware presence.
Implementing version control and dependency management to prevent unauthorized modifications to installed packages.
Conclusion
The discovery of ethers-provider2 and ethers-providerz underscores the growing risks in the open-source software ecosystem. Despite their limited distribution, these packages were designed for stealthy persistence, posing a significant threat to developers and organizations relying on npm libraries. As supply chain attacks continue to evolve, vigilance, regular security assessments, and proactive threat detection are critical to mitigating such risks.
By adopting best security practices and leveraging advanced threat detection tools, developers can safeguard their projects against malicious dependencies, ensuring a secure and resilient development environment.
0 Comments