New NPM Attack Infecting Local Packages With Cleverly Hidden Malicious Payload

These packages act as downloaders, injecting malicious code into locally installed versions of the legitimate ethers package, ultimately creating a reverse shell on the victim’s machine. The threat actor may have been attempting to “patch” a common, legitimate, and locally installed NPM package with a nearly identical version containing malicious code. Once detected, it replaces the provider-jsonrpc.js file with a modified version containing malicious code that downloads and executes third-stage malware from the same remote server. The payload also creates and executes a malicious loader.js file in the node_modules folder, which downloads the second stage from the same remote server as ethers-provider2, reads ReversingLabs’ report. Recently, security researchers discovered two intriguing packages ethers-provider2 and ethers-providerz, which employed sophisticated techniques to conceal their malicious intentions. The final stage involves establishing a reverse shell connection to the attacker’s server, utilizing an SSH client from the ethers-provider2 package. While containing the legitimate ssh2 source code, ethers-provider2 it includes malicious additions. Critically, this reverse shell remains active even after the ethers-provider2 the package is removed, providing persistence for the attackers. The second-stage malware operates by continuously checking for the presence of legitimate ethers package on the local system. The NPM package repository remains active, and despite a decline in malware numbers between 2023 and 2024, this year’s numbers don’t seem to continue that downward trend. The ethers-provider2 package, which was available on NPM at the time of publication, mimics the legitimate and widely used ssh2 package. This downloaded script is then executed and immediately deleted, a tactic uncommon in legitimate packages and indicative of malicious intent. The malicious payload, located in the install.js script attempts to patch files of the @ethersproject/providers package. Despite a decrease in malware on open-source repositories in 2024, malicious actors remain actively involved in distributing malicious packages to developers. The ethers-providerz package, part of the same campaign, had three versions, with the last two bearing similarities to ethers-provider2.

This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 26 Mar 2025 14:55:18 +0000


Cyber News related to New NPM Attack Infecting Local Packages With Cleverly Hidden Malicious Payload

'everything' blocks devs from removing their own npm packages - Since these 3,000+ packages manage to include every single npm package on the npmjs.com registry as their dependency, npm package authors who have ever published to the npm registry would now be unable to remove their packages at will, because of ...
1 year ago Bleepingcomputer.com
New NPM Attack Infecting Local Packages With Cleverly Hidden Malicious Payload - These packages act as downloaders, injecting malicious code into locally installed versions of the legitimate ethers package, ultimately creating a reverse shell on the victim’s machine. The threat actor may have been attempting to ...
4 weeks ago Cybersecuritynews.com
Malicious PyPI packages targeting highly specific MacOS machines - As part of our software package supply chain security efforts, we continuously scan for malware in newly released PyPI and NPM packages. In this post, we describe a particularly interesting cluster of malicious packages that we've identified. In late ...
10 months ago Securitylabs.datadoghq.com
5000+ Malicious Packages Found In The Wild To Compromise Windows Systems - These packages, detected from November 2024 onward, employ sophisticated techniques to evade traditional security measures while executing harmful actions that can lead to data theft, unauthorized access, and complete system compromise. Similarly, ...
1 month ago Cybersecuritynews.com
Lazarus Hackers Weaponized 6 npm Packages To Steal Logins - The hackers successfully compromised six popular npm packages, injecting malicious code designed to harvest login credentials from thousands of developers and organizations worldwide. A sophisticated supply chain attack orchestrated by the notorious ...
1 month ago Cybersecuritynews.com Lazarus Group
Malicious NPM, PyPI Packages Stealing User Information - Check Point and Phylum are warning of recently identified NPM and PyPI packages designed to steal user information and download additional payloads. Taking advantage of the broad use of open source code in application development, malicious actors ...
2 years ago Securityweek.com
Malicious npm Packages Attacking Linux Developers to Install SSH Backdoors - Discovered in early 2025, several malicious npm packages have been masquerading as legitimate Telegram bot libraries to deliver SSH backdoors and exfiltrate sensitive data from unsuspecting developers. The malicious variants—node-telegram-utils, ...
1 day ago Cybersecuritynews.com
3 PYPI Packages Caught Spreading Malware - Recent reports have highlighted the malicious spreading of malware via 3 specific Python Package Index (PyPI) packages. These 3 packages were identified and reported by Sonatype, a software supply chain security firm. ...
2 years ago Securityaffairs.com
New npm attack poisons local packages with backdoors - Two malicious packages were discovered on npm (Node package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor. In general, when downloading packages from package indexes like PyPI and ...
4 weeks ago Bleepingcomputer.com
Lazarus Adds New Malicious npm Packages with Hexadecimal Encoding - These packages, part of the broader Contagious Interview operation, are designed to evade automated detection systems and manual code audits, marking a significant evolution in the group’s approach to cyber espionage and financial theft. The ...
2 weeks ago Cybersecuritynews.com Lazarus Group
Three New Malicious PyPI Packages Deploy CoinMiner on Linux Devices - Affected platforms: LinuxAffected parties: Linux users that have these malicious packages installedImpact: Latency in device performanceSeverity level: High. On December 5th, 2023, FortiGuard's AI-driven OSS malware detection system identified three ...
1 year ago Feeds.fortinet.com
Malicious npm and PyPI Pose as Developer Tools to Steal Login Credentials - The researchers noted that the packages employ various exfiltration methods to transmit stolen credentials to threat actors, with react-native-scrollpageviewtest using Google Analytics as its exfiltration channel, while the PyPI packages leverage ...
1 day ago Cybersecuritynews.com
New Typosquatting and Repojacking Tactics Uncovered on PyPI - Security researchers have identified a concerning uptick in malicious activities infiltrating open-source platforms and code repositories. This trend encompasses a wide array of malicious activities, including hosting command-and-control ...
1 year ago Infosecurity-magazine.com
Malicious NPM Packages Targeting PayPal Users to Steal Sensitive Data - FortiGuard Labs, Fortinet’s AI-driven threat intelligence arm, has uncovered a series of malicious NPM packages designed to steal sensitive information from developers and target PayPal users. Detected between March 5 and March 14, 2025, these ...
1 week ago Cybersecuritynews.com
Misconfiguration and vulnerabilities biggest risks in cloud security: Report - The two biggest cloud security risks continue to be misconfigurations and vulnerabilities, which are being introduced in greater numbers through software supply chains, according to a report by Sysdig. While zero trust is a top priority, data showed ...
2 years ago Csoonline.com Hunters
Attack Vector vs Attack Surface: The Subtle Difference - Cybersecurity discussions about "Attack vectors" and "Attack surfaces" sometimes use these two terms interchangeably. This article guides you through the distinctions between attack vectors and attack surfaces to help you better understand the two ...
2 years ago Trendmicro.com
116 Malicious PyPI Packages Downloaded Over 10,000 Times - A cluster of malicious Python projects has been identified in PyPI, the official Python PyPI package repository, which targets both Windows and Linux systems and often deploys a custom backdoor. In certain instances, the ultimate payload consists of ...
1 year ago Cybersecuritynews.com
Threat Actors Hijack Legitimate Crypto Packages to Inject Malicious Code - The attack specifically targets users of Atomic and Exodus wallets, hijacking transactions by injecting malicious code that redirects funds to attacker-controlled addresses. Once installed, the package examines the user’s system for installed ...
1 week ago Cybersecuritynews.com
North Korean Lazarus hackers infect hundreds via npm packages - The packages contain malicious code designed to steal sensitive information, such as cryptocurrency wallets and browser data that contains stored passwords, cookies, and browsing history. The packages, which have been downloaded 330 times, are ...
1 month ago Bleepingcomputer.com
7 Weaponized Go Packages Attacking Linux & macOS To Install Hidden Malware Loader - Security researchers have uncovered an ongoing malicious campaign targeting the Go ecosystem with seven typosquatted packages designed to install hidden loader malware on Linux and macOS systems. Security researchers recommend using tools like ...
1 month ago Cybersecuritynews.com
CVE-2022-29244 - npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of ...
2 years ago
Android malware and unwanted software statistics for Q1 2024 - Over 389,000 malicious installation packages were detected, of which: 11,729 packages were related to mobile banking Trojans, 1,990 packages were mobile ransomware Trojans. The rapid growth in the total number of attacks between Q2 and Q4 2023 is ...
10 months ago Securelist.com
New XCSSET Malware Attacking macOS Users by Infecting Xcode Projects  - This modular backdoor, first documented in 2020, now employs advanced obfuscation techniques, refined persistence mechanisms, and novel infection vectors to subvert Apple’s security frameworks and compromise software supply chains. Microsoft Threat ...
2 months ago Cybersecuritynews.com
Hackers Abuse Node.js to Deliver Malware & Steal Data - Attracting malicious code within Node.js executables or npm (Node Package Manager) packages allows attackers to blend their malware with legitimate applications, evade detection, and persist within target environments. These installers contain ...
1 week ago Cybersecuritynews.com
New Supply Chain Attack Leveraging Python Package Index Targeting Wacatac Trojan - A new supply chain attack has recently been detected targeting Python Package Index (PyPI) users with the Wacatac Trojan. This attack is seen as the latest in a series of advanced persistent threats (APT) targeting the escalating use of Python in ...
2 years ago Securityweek.com

Latest Cyber News


Cyber Trends (last 7 days)