This article discusses the emergence of two malicious npm packages, ethers-provider2 and ethers-providerz, which deliver sophisticated malware via clever techniques that manipulate legitimate npm packages. The malicious payloads are designed to persist even after package removal, highlighting the vulnerabilities in the open-source software supply chain. Affected: npm packages, software development environments
Keypoints :
- Detection of malicious npm packages decreased between 2023 and 2024, but new threats emerged in 2024.
- ethers-provider2 patches the legitimate npm package ethers with malicious code.
- Malware from ethers-provider2 is designed to create a reverse shell on compromised systems.
- ethers-providerz attempted to manipulate another npm package, @ethersproject/providers, but failed due to incorrect paths in the code.
- RL’s Spectra platform can detect even low-download malicious packages based on their behavior.
- Recent detection efforts included developing a YARA rule to identify compromised npm packages.
- New packages, reproduction-hardhat and @theoretical123/providers, have been linked to the same threat actor and have also been removed from npm.
MITRE Techniques :
- T1047 – Windows Management Instrumentation (WMI): Used to execute the malware once the target files are replaced.
- T1071.001 – Application Layer Protocol: The reverse shell connects back to the threat actor’s server through an ssh client.
- T1132 – Data Encoding: The malware used encoded URLs to hide delivery of malicious payloads.
- T1203 – Exploitation for Client Execution: The package exploits the installation process of legitimate npm packages.
- T1499 – Endpoint Denial of Service: The malware persists even if the original malicious package is removed.
Indicator of Compromise :
- [URL] hxxp[:]//5[.]199[.]166[.]1[:]31337/install
- [URL] hxxp[:]//5[.]199[.]166[.]1[:]31337/config
Full Story: https://www.reversinglabs.com/blog/malicious-npm-patch-delivers-reverse-shell