Security researchers have discovered a sophisticated malware campaign on the NPM package repository that infects locally-installed packages with malicious code. The malware, found in packages named "ethers-provider2" and "ethers-providerz", targets the legitimate "ethers" package by injecting a reverse shell payload.
The malicious packages operate in multiple stages. When installed, they first download additional malware components from a remote server. The second stage then monitors for the presence of the "ethers" package on the system. Once detected, it replaces a key file with a malicious version that downloads the final payload - a reverse shell giving attackers remote access.
What makes this attack particularly dangerous is its persistence mechanism. Even if the original malicious package is removed, the infected "ethers" files remain compromised. The malware will also re-infect "ethers" if it's reinstalled later.
"This approach reveals a high level of sophistication that we haven't seen before in NPM-based downloaders," notes Lucija Valentić, Software Threat Researcher at ReversingLabs, who discovered the threat.
The researchers emphasize that while the local installations were targeted, the official NPM package remains uncompromised. However, any systems that installed the malicious packages could have their development environments and networks at risk.
Two additional related packages have since been identified: "reproduction-hardhat" and "@theoretical123/providers". While these have been removed from NPM, "ethers-provider2" remained available at time of discovery but has been reported to NPM maintainers.
The discovery highlights growing risks in the software supply chain, as attackers develop increasingly sophisticated methods to compromise development environments through popular package repositories. Developers are advised to carefully verify package sources and monitor for signs of compromise in their local installations.
ReversingLabs has released a YARA detection rule to help identify infected "ethers" package installations.