Malicious npm Package Modifies Local 'ethers' Library to Launch Reverse Shell Attacks

Cybersecurity researchers have discovered two malicious packages on the npm registry that are designed to infect another locally installed package, underscoring the continued evolution of software supply chain attacks targeting the open-source ecosystem.

The packages in question are ethers-provider2 and ethers-providerz, with the former downloaded 73 times to date since it was published on March 15, 2025. The second package, likely removed by the malware author themselves, did not attract any downloads.

"They were simple downloaders whose malicious payload was cleverly hidden," ReversingLabs researcher Lucija Valentić said in a report shared with The Hacker News.

"The interesting part lay in their second stage, which would 'patch' the legitimate npm package ethers, installed locally, with a new file containing the malicious payload. That patched file would ultimately serve a reverse shell."

The development marks a new escalation of threat actors' tactics, as uninstalling the rogue packages won't rid compromised machines of the malicious functionality, since the changes reside in the popular library. On top of that, if an unsuspecting user removes the ethers package when ethers-provider2 remains on the system, it risks reinfection when the package is installed again at a later time.

ReversingLabs' analysis of ethers-provider2 has revealed that it's nothing but a trojanized version of the widely-used ssh2 npm package that includes a malicious payload within install.js to retrieve a second-stage malware from a remote server ("5.199.166[.]1:31337/install"), write it to a temporary file, and run it.

Immediately after execution, the temporary file is deleted from the system in an attempt to avoid leaving any traces. The second-stage payload, for its part, starts an infinite loop to check if the npm package ethers is installed locally.

In the event, the package is already present or it gets freshly installed, it springs into action by replacing one of the files named "provider-jsonrpc.js" with a counterfeit version that packs in additional code to fetch and execute a third-stage from the same server. The newly downloaded payload functions as a reverse shell to connect to the threat actor's server over SSH.

"That means that the connection opened with this client turns into a reverse shell once it receives a custom message from the server," Valentić said. "Even if the package ethers-provider2 is removed from a compromised system, the client will still be used under certain circumstances, providing a degree of persistence for the attackers."

It's worth noting at this stage that the official ethers package on the npm registry is not compromised, since the malicious modifications are made locally post-installation.

The second package, ethers-providerz, also behaves in a similar manner in that it attempts to alter files associated with a locally installed npm package called "@ethersproject/providers." The exact npm package targeted by the library is not known, although source code references indicate it could have been loader.js.

The findings serve to highlight the novel ways threat actors are serving and persisting malware in developer systems, making it essential that packages from open-source repositories are carefully scrutinized before downloading and using them.

"Despite the low download numbers, these packages are powerful and malicious," Valentić said. "If their mission is successful, they will corrupt the locally installed package ethers and maintain persistence on compromised systems even if that package is removed."

New npm attack poisons local packages with backdoors

RedCurl cyberspies create ransomware to encrypt Hyper-V servers

Free online web security scanner