Recent discoveries have unveiled a new threat on the npm (Node package manager) platform, where malicious packages are used to secretly alter legitimate, locally installed packages, embedding a persistent reverse shell backdoor. This tactic ensures that even if the harmful packages are removed, the backdoor remains active on the victim's system.

Discovery of Malicious Packages

Researchers at Reversing Labs identified two malicious npm packages, 'ethers-provider2' and 'ethers-providerz', which employ sophisticated techniques to conceal their malicious payloads. These packages were found during routine security checks of the open-source supply chain.

Mechanism of the Attack

The 'ethers-provider2' package, still available on npm, is based on the widely used 'ssh2' npm package. It contains a modified 'install.js' script that downloads a second-stage payload from an external source. This payload is executed and then deleted to eliminate traces.

  • Stage Two: The payload monitors for the legitimate 'ethers' package and replaces its 'provider-jsonrpc.js' file with a trojanized version.
  • Stage Three: This version fetches another payload from a remote host, enabling a reverse shell using a modified SSH client.

Persistent Threats

The attack is particularly dangerous because uninstalling 'ethers-provider2' does not remove the backdoor from the 'ethers' package, leaving the legitimate package compromised. The 'ethers-providerz' package exhibits similar behavior, targeting the @ethersproject/providers package.

Additional Findings and Recommendations

Reversing Labs also identified two more packages, 'reproduction-hardhat' and '@theoretical123/providers', linked to the same malicious campaign. Developers are advised to use the YARA rule provided by Reversing Labs to detect malware associated with this campaign.

When downloading packages from indexes like PyPI and npm, it is crucial to verify their legitimacy and scrutinize their code for risks, such as obfuscated code and external server calls.

The link has been copied!