Two malicious packages were discovered on npm (Node package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor. In general, when downloading packages from package indexes like PyPI and npm, it is recommended to double-check their legitimacy (and that of their publisher) and examine their code for signs of risk, such as obfuscated code and calls to external servers. The first package, which is still available on npm at the time of writing, is based on the popular 'ssh2' npm package but with a modified 'install.js' script that downloads a second-stage payload from an external source, which is executed and then deleted when finished to wipe all traces. What makes this attack so dangerous is even if 'ethers-provider2' is uninstalled, the backdoor on the ethers package won't be removed, and so the legitimate package remains infected. The injected file now fetches a third-stage payload from the remote host, which enables a reverse shell using a modified SSH client, mimicking the legitimate SSH2 client behavior. The second stage monitors for the legitimate 'ethers' package, and once it finds it, it replaces the legitimate 'provider-jsonrpc.js' file with a trojanized version. Reversing Labs reports that early versions of this package had path errors, which prevented it from working as intended. The new tactic was discovered by researchers at Reversing Labs, who warned about the risk it entails, even if the packages weren't downloaded in large numbers. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. Reversing Labs has included a YARA rule to detect known malware associated with this campaign, so developers should use it to scan their environments for remnant threats.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 26 Mar 2025 12:20:04 +0000