Full Report
Cybersecurity researchers have discovered two malicious packages on the npm registry that are designed to infect another locally installed package, underscoring the continued evolution of software supply chain attacks targeting the open-source ecosystem. The packages in question are ethers-provider2 and ethers-providerz, with the former downloaded 73 times to date since it was published on
Analysis Summary
# Tool/Technique: ethers-provider2/ethers-providerz Malicious npm Packages
## Overview
These are two malicious packages discovered on the npm registry, `ethers-provider2` and `ethers-providerz`, designed to compromise systems by targeting the legitimate, widely used `ethers` library (and `@ethersproject/providers` for the latter). Their primary goal is to install a multi-stage payload culminating in a persistent reverse shell connection to the attacker's infrastructure.
## Technical Details
- Type: Malware / Supply Chain Compromise (Trojanized Library Implantation)
- Platform: Node.js/JavaScript environments utilizing npm packages (Linux, macOS, Windows)
- Capabilities: Initial download, execution of second-stage payload, local modification/patching of legitimate libraries, establishment of a reverse shell over SSH.
- First Seen: March 2025
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1195 - Supply Chain Compromise
- T1195.003 - Compromise Software Distribution Channel
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter
- T1059.004 - Unix Shell
- T1059.006 - Python
- TA0003 - Persistence
- T1543.003 - Create or Modify System Process: Scheduled Task/Job (Implied by persistence mechanism targeting library use)
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Implied for initial fetch)
- T1071.004 - SSH (Used for final reverse shell)
## Functionality
### Core Capabilities
- **Stage 1 (Downloader):** The malicious package (e.g., `ethers-provider2`) acts as a trojanized version of the `ssh2` npm package. Its `install.js` payload retrieves a second-stage malware from a remote server, writes it to a temporary file, and executes it, immediately deleting the temporary file.
- **Stage 2 (Patcher/Persistence Mechanism):** The second-stage payload loops, constantly checking for the presence of the legitimate `ethers` package. If found, it modifies a specific file within the legitimate library, `provider-jsonrpc.js`, replacing it with a malicious counterfeit.
- **Stage 3 (Reverse Shell):** The patched file fetches and executes a final third-stage payload, which establishes a reverse shell connection to the attacker's server over SSH, initiated upon receiving a custom message from the C2.
### Advanced Features
- **Local Library Patching:** The technique ensures persistence even if the initial rogue npm package (`ethers-provider2`) is uninstalled, as the malicious logic is embedded within the trusted `ethers` library used by the target application.
- **Trace Evasion:** Immediate deletion of the Stage 1 downloaded binary to hinder forensic analysis.
- **SSH-based C2:** Utilizes SSH for the final reverse shell, potentially leveraging common ports or protocols to blend in.
## Indicators of Compromise
- File Hashes: [Not provided in context]
- File Names:
- Modified legitimate file: `provider-jsonrpc.js` (within the local `ethers` installation)
- Registry Keys: [Not applicable/provided]
- Network Indicators:
- C2 Server (Stage 1/2): `5-199-166[.]1:31337/install`
- Behavioral Indicators:
- Execution of code within npm package installation scripts (`install.js`).
- Write/modification operations within trusted npm library directories (e.g., `/node_modules/ethers/lib/`).
- Outbound SSH connections initiated by Node.js processes connecting to external IPs on high/non-standard ports (31337 being the C2, the final shell uses SSH).
## Associated Threat Actors
- [Not explicitly named in the provided context, attributed to unknown threat actors leveraging software supply chain attacks.]
## Detection Methods
- Signature-based detection: YARA rules targeting known C2 infrastructure or specific strings/patterns in the Stage 1 `install.js`.
- Behavioral detection: Monitoring for arbitrary file creation/modification within installed node module directories, especially core files of popular libraries like `ethers`. Monitoring outbound connections stemming from npm installation scripts (post-install hooks).
- YARA rules: [Not provided in context]
## Mitigation Strategies
- **Supply Chain Verification:** Pin dependencies to trusted versions and use integrity checks (e.g., checksums) where possible.
- **Least Privilege:** Run build and application environments under restricted user accounts to limit filesystem write access across the system or shared development directories.
- **Monitor Post-Install Scripts:** Implement security scanning or runtime environment watches that flag suspicious activity originating from `install.js` or similar lifecycle scripts within untrusted packages.
- **Code Review:** For critical internal libraries, audit dependency installations for modifications to core files.
## Related Tools/Techniques
- `ssh2` npm package (used as a base/trojan for the initial dropper).
- Other malicious npm packages targeting Node.js environments.