Summary:
Cybersecurity researchers have uncovered two malicious packages on the npm registry ethers-provider2 and ethers-providerz that exemplify a new wave of software supply chain attacks targeting open-source ecosystems. Published on March 15, 2025, ethers-provider2 was downloaded 73 times before detection, while ethers-providerz received no downloads and was likely removed by its author. According to ReversingLabs, the packages were simple downloaders with a second-stage payload that stealthily “patched” a popular local npm package called ethers by inserting a malicious file. This patch enabled a reverse shell, allowing attackers persistent access to compromised systems. Removing the rogue package alone does not neutralize the threat since the altered ethers files continue to pose a risk and can even be re-infected if ethers-provider2 remains on the system when the ethers package is reinstalled.

Further analysis revealed that ethers-provider2 is a trojanized version of the legitimate ssh2 npm package, containing a hidden payload in its install.js script. This script fetched a second-stage malware from a remote server, stored it temporarily, executed it, and then deleted it to cover its tracks. The malware continually checked for the presence of the ethers package and, once detected, replaced a file named provider-jsonrpc.js with a tampered version that fetched and ran a third-stage payload—a reverse shell that communicated with the attacker’s server via SSH. Even if ethers-provider2 is later removed, the infected ethers package can still maintain the reverse shell, allowing attacker persistence.

---

Security Officer Comments:
The second package, ethers-providerz, followed a similar method by attempting to alter components of a related npm package, @ethersproject/providers, although its specific target file is unclear—source code hints it may have been loader.js. These findings underscore the sophistication of modern supply chain attacks and the importance of carefully vetting packages from open-source repositories. Despite low download numbers, the packages are considered highly dangerous due to their ability to corrupt legitimate libraries and persist even after attempted cleanup.

Suggested Corrections:

IOCs:
https://www.reversinglabs.com/blog/malicious-npm-patch-delivers-reverse-shell

• Audit Dependencies: Avoid obscure packages with low downloads or poor documentation. Regularly review all dependencies.
• Integrity Checks: Use package-lock.json, npm audit, and tools like Snyk or Socket.dev to detect malicious code.
• Clean Infections: Delete node_modules/ and package-lock.json, then reinstall packages to remove tampered files.
• Monitor Activity: Watch for suspicious outbound connections or reverse shell behavior using EDR tools.
• Secure Build Environments: Use containers or sandboxes for builds to isolate threats.
• Limit Privileges: Avoid installing packages with admin/root rights and apply least privilege principles.
• Developer Awareness: Educate teams on supply chain risks and warning signs of malicious packages.

Link(s):
https://thehackernews.com/2025/03/malicious-npm-package-modifies-local.html