Summary: Researchers at Reversing Labs have discovered two malicious npm packages that insert a reverse shell backdoor into legitimate packages, allowing persistent access even after the malicious packages are removed. The packages, ‘ethers-provider2’ and ‘ethers-providerz’, use sophisticated techniques to conceal their malicious activities, replacing legitimate files with compromised versions. Developers are urged to verify the legitimacy of software packages and scan for potential threats to safeguard their systems.
Affected: npm (Node package manager)
Keypoints :
- Two malicious packages were found on npm, which can covertly patch legitimate packages with a reverse shell backdoor.
- The compromised packages execute a multi-stage payload process to replace legitimate files with infected versions, ensuring persistence even after the malicious package is uninstalled.
- Reversing Labs advises developers to use YARA rules and scrutinize package codes for legitimacy and signs of risk when downloading from package indexes.
Source: https://www.bleepingcomputer.com/news/security/new-npm-attack-poisons-local-packages-with-backdoors/