New NPM Attack Infecting Local Packages With Cleverly Hidden Malicious Payload

The NPM package repository remains active, and despite a decline in malware numbers between 2023 and 2024, this year’s numbers don’t seem to continue that downward trend.

Recently, security researchers discovered two intriguing packages ethers-provider2 and ethers-providerz, which employed sophisticated techniques to conceal their malicious intentions.

These packages act as downloaders, injecting malicious code into locally installed versions of the legitimate ethers package, ultimately creating a reverse shell on the victim’s machine. This level of sophistication warrants a closer examination.

The ethers-provider2 Malware Delivery

The ethers-provider2 package, which was available on NPM at the time of publication, mimics the legitimate and widely used ssh2 package.

While containing the legitimate ssh2 source code, ethers-provider2 it includes malicious additions.

The ReversingLabs’ detected the malicious code within ethers-provider2. The install.js file had been altered to download a second-stage malware from a remote server upon installation.

This downloaded script is then executed and immediately deleted, a tactic uncommon in legitimate packages and indicative of malicious intent.

The second-stage malware operates by continuously checking for the presence of legitimate ethers package on the local system.

Once detected, it replaces the provider-jsonrpc.js file with a modified version containing malicious code that downloads and executes third-stage malware from the same remote server.

Additionally, the second-stage malware creates a loader.js file that replicates the “patching” functionality and executes it.

The final stage involves establishing a reverse shell connection to the attacker’s server, utilizing an SSH client from the ethers-provider2 package.

This client, while functioning similarly to a legitimate ssh2 client is modified to receive specific messages that initiate the reverse shell.

Critically, this reverse shell remains active even after the ethers-provider2 the package is removed, providing persistence for the attackers.

The ethers-providerz Package

The ethers-providerz package, part of the same campaign, had three versions, with the last two bearing similarities to ethers-provider2.

The first version appeared to be a test version with non-functional components. The malicious payload, located in the install.js script attempts to patch files of the @ethersproject/providers package.

However, the file paths were incorrectly defined, leaving the specific target package uncertain.

The payload also creates and executes a malicious loader.js file in the node_modules folder, which downloads the second stage from the same remote server as ethers-provider2, reads ReversingLabs’ report.

The threat actor may have been attempting to “patch” a common, legitimate, and locally installed NPM package with a nearly identical version containing malicious code.

Following the discovery of ethers-provider2 and ethers-providerz, researchers identified additional packages potentially linked to the campaign: reproduction-hardhat and @theoretical123/providers.

Both packages have been removed from NPM. This campaign highlights the growing software supply chain risks for both software producers and end-user organizations.

Despite a decrease in malware on open-source repositories in 2024, malicious actors remain actively involved in distributing malicious packages to developers.

The sophistication of this attack, particularly the persistence mechanism, underscores the need for vigilance and robust security measures to mitigate supply chain threats.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

The post New NPM Attack Infecting Local Packages With Cleverly Hidden Malicious Payload appeared first on Cyber Security News.