Stealthy npm Malware Injects Persistent Reverse Shell Backdoor

Listen to this Post

A New Threat Lurks in npm Packages

Security researchers have uncovered a new, highly deceptive malware campaign targeting npm (Node Package Manager). The attackers use two malicious packages to inject a persistent reverse shell backdoor into legitimate, locally installed packages. This means that even if a victim detects and removes the initial malicious packages, the system remains compromised.

This stealthy attack was identified by Reversing Labs, which emphasized the serious risk posed by these deceptive tactics, despite the fact that the malicious packages weren’t widely downloaded. Attackers have become increasingly sophisticated in how they embed malicious payloads into open-source software, making it difficult for developers to detect these threats before it’s too late.

How the Attack Works

Reversing Labs discovered two npm packages—’ethers-provider2′ and ‘ethers-providerz’—that employ an innovative method to maintain persistence on infected systems.

1. First Stage – Initial Infection:

  • The ‘ethers-provider2’ package is based on the widely used ‘ssh2’ npm package.
  • During installation, it executes a modified install.js script, which downloads a secondary malicious payload from an external server.
  • This payload is then executed and removed, erasing all traces of the initial infection.

2. Second Stage – Hijacking Legitimate Packages:

  • The malware scans for the presence of the legitimate ‘ethers’ package.
  • Once detected, it replaces the ‘provider-jsonrpc.js’ file with a trojanized version that can fetch and execute additional malicious code.

3. Third Stage – Establishing a Persistent Backdoor:

  • The injected script downloads another payload that enables a reverse shell, effectively giving attackers remote access to the system.
  • This shell operates through a modified SSH client, which mimics the behavior of a legitimate SSH2 client.

Even after the ‘ethers-provider2’ package is uninstalled, the injected backdoor in the ‘ethers’ package remains active, continuing to expose the system to remote control.

A Parallel Threat: ethers-providerz

The second malicious package, ‘ethers-providerz’, functions similarly but targets a different npm module—@ethersproject/providers.
– Its goal is also to inject a persistent reverse shell that communicates with a malicious IP address: 5[.]199[.]166[.]1:31337.
– Earlier versions of this package had path errors that rendered it nonfunctional, but the attackers seem intent on fixing and reintroducing it.

Reversing Labs also identified two other suspicious packages, ‘reproduction-hardhat’ and ‘@theoretical123/providers’, which appear to be part of the same malware campaign.

Mitigating the Risk

Reversing Labs has released a YARA rule to help developers detect malware related to this campaign. To protect against similar threats, developers should:

  • Double-check package legitimacy before installing, especially from unverified sources.
  • Inspect package code for obfuscation, hidden scripts, or external network calls.
  • Regularly scan dependencies using security tools like YARA or npm audit.

Open-source software ecosystems like npm remain prime targets for attackers due to their widespread adoption. Vigilance and proactive security measures are crucial to keeping development environments safe.

What Undercode Say:

The discovery of these malicious npm packages highlights a growing problem in software supply chain security. Attackers are no longer simply planting malware in standalone applications; they are infecting widely used dependencies to ensure long-term persistence on systems.

Why This Attack is Unique

Unlike typical malware that gets removed when the infected package is uninstalled, this attack is highly persistent. The backdoor remains in the system even after the initial malware is gone, making it much harder to detect and eliminate. This method represents an evolution in software supply chain attacks, moving from simple malicious injections to stealthy, multi-stage infections.

Supply Chain Risks in Open-Source Ecosystems

  • npm is an attractive target: With millions of developers relying on npm packages, attackers see it as a high-impact attack vector.
  • Attackers leverage trust: Developers often install packages without manually inspecting their code, assuming they are safe.
  • Malware spreads silently: Since these packages target popular dependencies, they can compromise many projects before detection.

Key Takeaways for Developers and Security Teams

1. Strict Dependency Management

  • Developers should only install trusted packages from well-known authors.
  • Tools like Snyk, Dependabot, and npm audit can help track vulnerabilities.

2. Regular Security Audits

  • Teams should continuously scan their software dependencies for suspicious behavior.
  • Automated YARA rule checks can help identify stealthy malware.

3. Sandboxing and Network Monitoring

  • Running new packages in an isolated environment before full deployment can prevent infections.
  • Monitoring network activity for unusual outbound connections can detect hidden backdoors.

4. Educating Developers on Open-Source Risks

  • Many developers trust open-source software blindly, making them easy targets.
  • Security training should emphasize code review and risk assessment before package adoption.

The Bigger Picture: Attackers Are Adapting

This npm attack is part of a broader trend in modern cyber threats. As defenders develop better detection methods, attackers innovate new ways to bypass them. Malicious actors are increasingly adopting:

– Multi-stage payloads to avoid detection.

  • Obfuscation techniques to hide malicious code in legitimate software.
  • Software supply chain attacks to infiltrate widely used systems.

Ultimately, the security of open-source software depends on the community’s ability to detect and respond to these threats before they escalate.

Fact Checker Results

  1. Legitimacy of the Attack: Confirmed by Reversing Labs, a credible cybersecurity research firm.
  2. Persistence of the Backdoor: Verified—attackers modify legitimate dependencies, making removal difficult.
  3. Mitigation Strategies: Industry best practices confirm that code reviews, dependency management, and security audits are essential defenses.

References:

Reported By: https://www.bleepingcomputer.com/news/security/new-npm-attack-poisons-local-packages-with-backdoors/
Extra Source Hub:
https://www.reddit.com/r/AskReddit
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image