Listen to this Post
A newly uncovered malware campaign has highlighted an alarming shift in software supply chain attacks. By exploiting npm (Node Package Manager) packages, attackers have successfully embedded advanced reverse shells within development environments. This article delves into the specifics of this emerging threat and the methods used to compromise npm packages, underscoring the critical need for heightened vigilance in the software development world.
the Threat
Recent research by ReversingLabs has uncovered two malicious npm packages, “ethers-provider2” and “ethers-providerz,” which were found to be part of an advanced malware campaign. These packages infiltrated development environments by secretly altering legitimate npm dependencies.
The “ethers-provider2” package, for instance, mimics the well-known “ssh2” package, integrating harmful code into its installation script. Once executed, the script triggers a chain of events that eventually leads to a reverse shell connection with the attacker’s server. The process starts with the script downloading a secondary malicious payload from an external server, which is executed and then wiped from the system to cover the attacker’s tracks. This secondary payload is designed to monitor the installation of a legitimate package (ethers) and replace it with a compromised version that fetches yet another payload. The final step of the attack involves setting up a reverse shell, enabling attackers to remotely control the affected machine.
Similarly, the “ethers-providerz” package attempts to manipulate files within the widely used @ethersproject/providers package. However, this attempt is flawed due to incorrect file paths, suggesting that the attack was not fully executed. Despite these issues, the underlying intent was clear: to inject hidden backdoors into widely-used npm packages.
In both cases, the malicious code was stealthily introduced into locally installed npm packages without ever compromising the original ethers package itself. This ensures that even if a developer reinstalls the legitimate package, the malicious code will reappear, maintaining persistent access for the attackers.
What Undercode Say:
This sophisticated attack highlights a growing trend of software supply chain breaches where attackers are focusing on long-term persistence and stealth rather than immediate damage. Traditionally, attackers using npm malware focus on stealing sensitive information (infostealers), but this campaign represents a clear shift toward maintaining covert, long-lasting access to compromised systems.
By modifying widely-used development tools and npm packages, attackers can potentially gain access to a large number of developer environments. This opens up avenues for further exploitation, as developers may unknowingly contribute to the spread of these malicious packages. What makes this particular attack particularly dangerous is its persistence. Unlike other npm-based malware, which can be eliminated by removing the malicious package, these reverse shell tactics ensure that the infection remains present. Even if developers reinstall legitimate packages like ethers, the attack will reassert itself.
The campaign is not limited to the two packages discovered. Further investigation revealed other malicious packages, such as “reproduction-hardhat” and “@theoretical123/providers,” which were also removed after being identified. The fact that such malware can persist across re-installations and is difficult to detect underscores the evolving tactics of cybercriminals in the npm ecosystem.
This type of stealth attack signals a worrying trend for software supply chain security. The stakes are higher as software development environments become increasingly targeted by sophisticated malware campaigns. As malicious actors continue to refine their methods, it’s clear that developers must prioritize robust security measures to safeguard against these emerging threats.
ReversingLabs’ detection platform, Spectra, played a key role in identifying the suspicious behavior of these packages. Despite their low download numbers, the potential risk remains significant, particularly as attackers may target more popular packages in future campaigns. As a countermeasure, ReversingLabs has created a YARA rule that can help identify compromised systems by checking for modifications in the ethers package.
What stands out here is not just the sophistication of the malware, but the persistence that accompanies it. By making sure that compromised versions of packages like ethers will continue to reappear, attackers are ensuring that they maintain control over infected environments for extended periods. This introduces a level of stealth and persistence that makes detection far more challenging for developers and security systems alike.
Fact Checker Results:
- ReversingLabs identified two malicious npm packages—ethers-provider2 and ethers-providerz—designed to deploy reverse shells in development environments.
- The primary aim of the attack is to ensure long-term access, with the malicious packages restoring their impact even after removal.
- The discovery of additional related packages like “reproduction-hardhat” highlights the broader scope of this evolving supply chain attack.
This sophisticated malware campaign presents a growing challenge for developers, showing the need for better awareness and proactive measures to defend against evolving supply chain threats.
References:
Reported By: https://www.infosecurity-magazine.com/news/malicious-npm-packages-deliver/
Extra Source Hub:
https://www.medium.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2





