Malicious Packages with Hidden Code Discovered in the NPM Repository

🔍 Cybercriminals are increasingly using sophisticated techniques to inject malicious code into the NPM repository. Although the number of malicious packages seemed to decline in 2023–2024, this trend has not continued in 2024.

Recently, security researchers identified two NPM packages – ethers-provider2 and ethers-providerz – that cleverly disguise their malicious intent. These packages use deceptive techniques to mislead developers and allow attackers to gain remote control over a victim’s system by establishing a reverse shell.

These malicious packages specifically target the locally installed ethers library. Attackers use them as downloaders to fetch additional malicious payloads and execute them on the compromised system.

How Does the Malicious Code Work?

The attack unfolds in three main stages:

1️⃣ Downloading malicious code during installation – The modified install.js fetches the second-stage payload from a remote server and then deletes itself to avoid detection.

2️⃣ Modifying the ethers package – The provider-jsonrpc.js file is replaced with a malicious version that downloads and executes the next attack phase. A new loader.js file is also created to continuously inject malicious code.

3️⃣ Creating a reverse shell – This step grants attackers persistent remote control over the system, even after the malicious NPM package is removed.

ethers-provider2 – A Dangerous Imitation of ssh2

The ethers-provider2 package mimics the popular ssh2 package but contains a malicious install.js file. Upon installation, it downloads a second-stage payload that modifies the ethers library, injecting attacker-controlled scripts.

The most concerning aspect of this package is that it continues to function even after being uninstalled, allowing attackers to maintain long-term access to the compromised system.

ethers-providerz – A Similar Threat

The ethers-providerz package operates in a similar manner and has been released in three versions. The first version was likely a test build, while the second and third versions contained nearly identical malicious code as ethers-provider2.

However, its install.js contained incorrect file paths, which may have prevented it from fully compromising the @ethersproject/providers package. Despite this, it still successfully created a loader.js file and maintained a mechanism to fetch secondary payloads from a remote server.

Other Malicious Packages Identified

Researchers also discovered additional packages that may be linked to this attack campaign:

🔹 reproduction-hardhat
🔹 @theoretical123/providers

All of these packages have been removed from the NPM repository, but similar threats could emerge again.

What Are the Risks of Malicious NPM Packages?

🔴 They can:
✔ Compromise local applications and establish a reverse shell for remote control.
✔ Infect widely used libraries, spreading malicious code to unsuspecting developers.
✔ Disrupt software supply chain security, impacting companies and end-users.
✔ Steal sensitive information, including login credentials, passwords, and API keys.

These attacks pose a serious risk not only to developers but also to end-users. Once malicious code is embedded in software products, every user of that software becomes vulnerable.

How Can NPM Users Stay Safe?

✅ Be cautious when installing NPM packages
– Avoid installing unfamiliar or suspiciously named packages without verification.
– Stick to well-known and widely used libraries.

✅ Verify package sources
– Use the npm audit command to check for security vulnerabilities in dependencies.
– Review the package’s GitHub repository and official documentation.

✅ Inspect code before installation
– Check package.json and install.js files for suspicious code before installation.

✅ Utilize automated security tools
– Use tools like Snyk, Dependabot, ReversingLabs, or npm audit to scan for security risks.

✅ Isolate environments
– Test packages in a sandbox environment before deploying them in production.
– Use containerization tools like Docker to limit the impact of malicious code.

While the total number of malicious NPM packages may have decreased, their complexity is increasing. The ethers-provider2 and ethers-providerz packages demonstrated how attackers can inject malicious code, hijack local libraries, and maintain remote control even after package removal.

Therefore, developers, companies, and users must remain vigilant and consistently perform security checks on their dependencies.

📢 Important! To protect software security, it is crucial to strengthen supply chain security, thoroughly vet packages before installation, and implement robust cybersecurity measures! 🚨