These packages act as downloaders, injecting malicious code into locally installed versions of the legitimate ethers package, ultimately creating a reverse shell on the victim’s machine. The threat actor may have been attempting to “patch” a common, legitimate, and locally installed NPM package with a nearly identical version containing malicious code. Once detected, it replaces the provider-jsonrpc.js file with a modified version containing malicious code that downloads and executes third-stage malware from the same remote server. The payload also creates and executes a malicious loader.js file in the node_modules folder, which downloads the second stage from the same remote server as ethers-provider2, reads ReversingLabs’ report. Recently, security researchers discovered two intriguing packages ethers-provider2 and ethers-providerz, which employed sophisticated techniques to conceal their malicious intentions. The final stage involves establishing a reverse shell connection to the attacker’s server, utilizing an SSH client from the ethers-provider2 package. While containing the legitimate ssh2 source code, ethers-provider2 it includes malicious additions. Critically, this reverse shell remains active even after the ethers-provider2 the package is removed, providing persistence for the attackers. The second-stage malware operates by continuously checking for the presence of legitimate ethers package on the local system. The NPM package repository remains active, and despite a decline in malware numbers between 2023 and 2024, this year’s numbers don’t seem to continue that downward trend. The ethers-provider2 package, which was available on NPM at the time of publication, mimics the legitimate and widely used ssh2 package. This downloaded script is then executed and immediately deleted, a tactic uncommon in legitimate packages and indicative of malicious intent. The malicious payload, located in the install.js script attempts to patch files of the @ethersproject/providers package. Despite a decrease in malware on open-source repositories in 2024, malicious actors remain actively involved in distributing malicious packages to developers. The ethers-providerz package, part of the same campaign, had three versions, with the last two bearing similarities to ethers-provider2.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 26 Mar 2025 14:55:18 +0000