New NPM Attack Infecting Local Packages With Cleverly Hidden Malicious Payload

These packages act as downloaders, injecting malicious code into locally installed versions of the legitimate ethers package, ultimately creating a reverse shell on the victim’s machine. The threat actor may have been attempting to “patch” a common, legitimate, and locally installed NPM package with a nearly identical version containing malicious code. Once detected, it replaces the provider-jsonrpc.js file with a modified version containing malicious code that downloads and executes third-stage malware from the same remote server. The payload also creates and executes a malicious loader.js file in the node_modules folder, which downloads the second stage from the same remote server as ethers-provider2, reads ReversingLabs’ report. Recently, security researchers discovered two intriguing packages ethers-provider2 and ethers-providerz, which employed sophisticated techniques to conceal their malicious intentions. The final stage involves establishing a reverse shell connection to the attacker’s server, utilizing an SSH client from the ethers-provider2 package. While containing the legitimate ssh2 source code, ethers-provider2 it includes malicious additions. Critically, this reverse shell remains active even after the ethers-provider2 the package is removed, providing persistence for the attackers. The second-stage malware operates by continuously checking for the presence of legitimate ethers package on the local system. The NPM package repository remains active, and despite a decline in malware numbers between 2023 and 2024, this year’s numbers don’t seem to continue that downward trend. The ethers-provider2 package, which was available on NPM at the time of publication, mimics the legitimate and widely used ssh2 package. This downloaded script is then executed and immediately deleted, a tactic uncommon in legitimate packages and indicative of malicious intent. The malicious payload, located in the install.js script attempts to patch files of the @ethersproject/providers package. Despite a decrease in malware on open-source repositories in 2024, malicious actors remain actively involved in distributing malicious packages to developers. The ethers-providerz package, part of the same campaign, had three versions, with the last two bearing similarities to ethers-provider2.

This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 26 Mar 2025 14:55:18 +0000

Cyber News related to New NPM Attack Infecting Local Packages With Cleverly Hidden Malicious Payload

'everything' blocks devs from removing their own npm packages - Since these 3,000+ packages manage to include every single npm package on the npmjs.com registry as their dependency, npm package authors who have ever published to the npm registry would now be unable to remove their packages at will, because of ...
1 year ago Bleepingcomputer.com

New NPM Attack Infecting Local Packages With Cleverly Hidden Malicious Payload - These packages act as downloaders, injecting malicious code into locally installed versions of the legitimate ethers package, ultimately creating a reverse shell on the victim’s machine. The threat actor may have been attempting to ...
3 months ago Cybersecuritynews.com

Malicious PyPI packages targeting highly specific MacOS machines - As part of our software package supply chain security efforts, we continuously scan for malware in newly released PyPI and NPM packages. In this post, we describe a particularly interesting cluster of malicious packages that we've identified. In late ...
1 year ago Securitylabs.datadoghq.com

npm 'accidentally' removes Stylus package, breaks builds and pipelines - Panya (the former maintainer of Stylus) used their own account to release a package containing malicious code (for security research purposes? I am unsure), but did not release a new version of Stylus containing malicious code. BleepingComputer ...
2 days ago Bleepingcomputer.com

5000+ Malicious Packages Found In The Wild To Compromise Windows Systems - These packages, detected from November 2024 onward, employ sophisticated techniques to evade traditional security measures while executing harmful actions that can lead to data theft, unauthorized access, and complete system compromise. Similarly, ...
4 months ago Cybersecuritynews.com

Lazarus Hackers Weaponized 6 npm Packages To Steal Logins - The hackers successfully compromised six popular npm packages, injecting malicious code designed to harvest login credentials from thousands of developers and organizations worldwide. A sophisticated supply chain attack orchestrated by the notorious ...
4 months ago Cybersecuritynews.com Lazarus Group

Malicious NPM, PyPI Packages Stealing User Information - Check Point and Phylum are warning of recently identified NPM and PyPI packages designed to steal user information and download additional payloads. Taking advantage of the broad use of open source code in application development, malicious actors ...
2 years ago Securityweek.com

Malicious npm Packages Attacking Linux Developers to Install SSH Backdoors - Discovered in early 2025, several malicious npm packages have been masquerading as legitimate Telegram bot libraries to deliver SSH backdoors and exfiltrate sensitive data from unsuspecting developers. The malicious variants—node-telegram-utils, ...
3 months ago Cybersecuritynews.com

Hackers breach Toptal GitHub account, publish malicious npm packages - In the days that followed, the attackers modified the source code of Picasso on GitHub to include malware and published 10 malicious packages on NPM as Toptal, making them appear as legitimate updates. According to code security ...
1 day ago Bleepingcomputer.com

3 PYPI Packages Caught Spreading Malware - Recent reports have highlighted the malicious spreading of malware via 3 specific Python Package Index (PyPI) packages. These 3 packages were identified and reported by Sonatype, a software supply chain security firm. ...
2 years ago Securityaffairs.com

New npm attack poisons local packages with backdoors - Two malicious packages were discovered on npm (Node package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor. In general, when downloading packages from package indexes like PyPI and ...
4 months ago Bleepingcomputer.com

Lazarus Adds New Malicious npm Packages with Hexadecimal Encoding - These packages, part of the broader Contagious Interview operation, are designed to evade automated detection systems and manual code audits, marking a significant evolution in the group’s approach to cyber espionage and financial theft. The ...
3 months ago Cybersecuritynews.com Lazarus Group

Threat Actors Weaponized 28+ New npm Packages to Infect Users With Protestware Scripts - The persistence mechanism stores an initiation timestamp in localStorage using the key ‘swal-initiation’, calculating elapsed time since first visit to determine payload activation, ensuring repeat users experience the full protestware ...
1 week ago Cybersecuritynews.com

Three New Malicious PyPI Packages Deploy CoinMiner on Linux Devices - Affected platforms: LinuxAffected parties: Linux users that have these malicious packages installedImpact: Latency in device performanceSeverity level: High. On December 5th, 2023, FortiGuard's AI-driven OSS malware detection system identified three ...
1 year ago Feeds.fortinet.com

Malicious npm and PyPI Pose as Developer Tools to Steal Login Credentials - The researchers noted that the packages employ various exfiltration methods to transmit stolen credentials to threat actors, with react-native-scrollpageviewtest using Google Analytics as its exfiltration channel, while the PyPI packages leverage ...
3 months ago Cybersecuritynews.com

New Typosquatting and Repojacking Tactics Uncovered on PyPI - Security researchers have identified a concerning uptick in malicious activities infiltrating open-source platforms and code repositories. This trend encompasses a wide array of malicious activities, including hosting command-and-control ...
1 year ago Infosecurity-magazine.com

Malicious NPM Packages Targeting PayPal Users to Steal Sensitive Data - FortiGuard Labs, Fortinet’s AI-driven threat intelligence arm, has uncovered a series of malicious NPM packages designed to steal sensitive information from developers and target PayPal users. Detected between March 5 and March 14, 2025, these ...
3 months ago Cybersecuritynews.com

North Korean XORIndex malware hidden in 67 malicious npm packages - North Korean threat actors planted 67 malicious packages in the Node Package Manager (npm) online repository to deliver a new malware loader called XORIndex to developer systems. The packages collectively count more than 17,000 downloads and ...
1 week ago Bleepingcomputer.com

Misconfiguration and vulnerabilities biggest risks in cloud security: Report - The two biggest cloud security risks continue to be misconfigurations and vulnerabilities, which are being introduced in greater numbers through software supply chains, according to a report by Sysdig. While zero trust is a top priority, data showed ...
2 years ago Csoonline.com Hunters

Threat Actors Hijack Popular npm Packages to Steal The Project Maintainers' npm Tokens - Attackers first harvested maintainer credentials through sophisticated phishing emails, then used these stolen tokens to publish malicious package versions directly to npm repositories without making any corresponding changes to GitHub repositories, ...
4 days ago Cybersecuritynews.com

Attack Vector vs Attack Surface: The Subtle Difference - Cybersecurity discussions about "Attack vectors" and "Attack surfaces" sometimes use these two terms interchangeably. This article guides you through the distinctions between attack vectors and attack surfaces to help you better understand the two ...
2 years ago Trendmicro.com

116 Malicious PyPI Packages Downloaded Over 10,000 Times - A cluster of malicious Python projects has been identified in PyPI, the official Python PyPI package repository, which targets both Windows and Linux systems and often deploys a custom backdoor. In certain instances, the ultimate payload consists of ...
1 year ago Cybersecuritynews.com

Arch Linux pulls AUR packages that installed Chaos RAT malware - Arch Linux has pulled three malicious packages uploaded to the Arch User Repository (AUR) were used to install the CHAOS remote access trojan (RAT) on Linux devices. The AUR is a repository where Arch Linux users can publish package build scripts ...
1 week ago Bleepingcomputer.com

Threat Actors Hijack Legitimate Crypto Packages to Inject Malicious Code - The attack specifically targets users of Atomic and Exodus wallets, hijacking transactions by injecting malicious code that redirects funds to attacker-controlled addresses. Once installed, the package examines the user’s system for installed ...
3 months ago Cybersecuritynews.com

North Korean Lazarus hackers infect hundreds via npm packages - The packages contain malicious code designed to steal sensitive information, such as cryptocurrency wallets and browser data that contains stored passwords, cookies, and browsing history. The packages, which have been downloaded 330 times, are ...
4 months ago Bleepingcomputer.com

New NPM Attack Infecting Local Packages With Cleverly Hidden Malicious Payload

Cyber News related to New NPM Attack Infecting Local Packages With Cleverly Hidden Malicious Payload

Latest Cyber News

Cyber Trends (last 7 days)

Trending Cyber News (last 7 days)