Full Report
Two malicious packages were discovered on npm (Node package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor. [...]
Analysis Summary
# Tool/Technique: npm Package Poisoning Campaign (ethers-provider2, ethers-providerz)
## Overview
This is a supply chain attack targeting the npm package ecosystem where malicious packages are published to poison legitimate, trusted dependencies, specifically those related to the 'ethers' JavaScript library used for interacting with Ethereum. The attack uses chained package dependencies to inject backdoors that establish reverse shells.
## Technical Details
- Type: Technique/Malware Chain (Supply Chain Attack)
- Platform: JavaScript/Node.js environments utilizing npm
- Capabilities: Initial staging via malicious package execution, discovery of target legitimate packages ('ethers'), replacement of legitimate files with trojanized versions, and establishing a reverse shell C2 connection.
- First Seen: Not explicitly mentioned, but part of a recent campaign described in the article.
## MITRE ATT&CK Mapping
Since the article describes the methods used rather than a single static tool, the mapping focuses on the observed behaviors:
- **TA0001 - Initial Access**
- T1195 - Supply Chain Compromise
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.004 - Unix Shell
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols
## Functionality
### Core Capabilities
1. **Staging Payload Delivery:** Malicious packages (e.g., `ethers-provider2` based on `ssh2`) utilize modified `install.js` scripts to download and execute a second-stage payload from an external source.
2. **Payload Deletion:** The initial staging payload is executed and then deleted to remove traces of the initial infection vector.
3. **Target Identification and Infection:** The second stage monitors for the presence of legitimate packages (like 'ethers'). Upon detection, it replaces a critical file within the legitimate package (e.g., `provider-jsonrpc.js` in 'ethers') with a trojanized version.
4. **Persistence/Infection Persistence:** Crucially, uninstalling the initial malicious package does not remove the backdoor injected into the legitimate dependency.
### Advanced Features
- **Reverse Shell Establishment:** The injected file fetches a third-stage payload that establishes a persistent reverse shell connection using a modified SSH client, mimicking legitimate SSH2 behavior.
- **Targeted Poisoning:** Variants target specific libraries: `ethers-provider2` targets 'ethers', and `ethers-providerz` targets `@ethersproject/providers`.
- **Associated Packages:** Related packages mentioned include `reproduction-hardhat` and `@theoretical123/providers`.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: `install.js` (malicious script entry point), `provider-jsonrpc.js` (file target for trojanization).
- Registry Keys: [Not applicable/mentioned]
- Network Indicators: Malicious C2 IP: `5[.]199[.]166[.]1:31337`
- Behavioral Indicators: Execution of scripts from package installation directories, modification of files within installed third-party modules, and outbound connections over non-standard SSH ports (or SSH protocol usage towards non-standard ports).
## Associated Threat Actors
- Group affiliation is not specified in the text, but the activity is attributed to the attackers behind the specific malicious npm packages identified.
## Detection Methods
- Signature-based detection: YARA rule provided by Reversing Labs to detect known malware associated with the campaign.
- Behavioral detection: Monitoring filesystem write operations within vendor/node_modules directories, especially replacement of established configuration or utility files. Monitoring for unexpected network connections originating from Node.js processes, particularly those directed towards the known C2 IP.
- YARA rules: Specific YARA rules exist for the associated malware components.
## Mitigation Strategies
- **Code Examination:** Double-check the legitimacy of packages and their publishers before installation.
- **Code Inspection:** Examine package code for signs of risk, such as obfuscated code or calls to external, untrusted servers within installation scripts (`install.js`).
- **Dependency Scanning:** Use tools and YARA rules to scan project environments for remnant threats within already installed, legitimate packages.
- **Environment Lockdowns:** Restrict environments that can execute arbitrary code during package installation.
## Related Tools/Techniques
- `ethers-provider2` (Malicious npm package)
- `ethers-providerz` (Malicious npm package variant)
- `reproduction-hardhat` (Associated infrastructure)
- `@theoretical123/providers` (Associated infrastructure)