New npm Malware Attack Infects Popular Ethereum Library with Backdoor
Security researchers at ReversingLabs have discovered a new malware campaign on the npm package repository, revealing a new approach to infecting developers’ systems. Unlike typical malware, this attack doesn’t just deliver malicious code – it hides it within legitimate software already installed on a user’s computer.
The campaign centers around two packages, ethers-provider2 and ethers-providerz, which initially appear as harmless downloaders. However, these packages quietly work to “patch” a popular npm package called ethers, a widely used tool for interacting with the Ethereum blockchain, with a malicious file. This altered version of ethers then opens a backdoor, giving attackers remote access to the compromised system.
What makes this attack stand out is the level of effort the attackers put into hiding their payload. ReversingLabs’ analysis, shared with Hackread.com ahead of its publishing on Wednesday, shows the malware goes to great lengths to cover its tracks, even deleting temporary files used during the infection process, something rarely seen in typical npm-based malware.
“These evasive techniques were more thorough and effective than we’ve observed in npm-based downloaders before,” researchers noted in their blog post. Even removing the initial malicious package doesn’t guarantee safety, as the altered ethers package can persist and re-infect itself if re-installed.
The attack works by downloading several stages of malware. The initial downloader grabs a second stage, which then checks for the presence of the ethers package. If found, it replaces a core file with a modified version that downloads and executes a final stage – a reverse shell allowing attackers full control.
While ethers-providerz has since been removed from npm, ethers-provider2 was still available at the time of publication and has been reported to npm maintainers. Researchers have also identified additional packages, reproduction-hardhat and @theoretical123/providers, linked to the same campaign, both of which have now been removed.
ReversingLabs has released a YARA rule to help developers detect if their locally installed ethers package has been compromised.
This incident is a good reminder that malicious packages on npm are still a big problem. Even though there was a small drop in malware numbers in 2024, attackers keep coming up with new tricks to get into the software supply chain. Developers need to stay cautious and use strong security practices to keep themselves and their projects safe.
Featured Image by Innova Labs from Pixabay!
