CyberSecurity news
FlagThis
lucija.valentic@reversinglabs.com (Lucija@Blog (Main)
//
A new malware campaign has been discovered targeting developers through malicious npm packages. Researchers at ReversingLabs identified two packages, ethers-provider2 and ethers-providerz, designed to inject reverse shells into locally installed instances of the popular 'ethers' library. This allows attackers to gain remote access to compromised systems. The attack cleverly hides its malicious payload, modifying legitimate files to ensure persistence even after the initial packages are removed.
This campaign showcases a sophisticated approach to software supply chain attacks. The malicious packages act as downloaders, patching the 'ethers' library with a reverse shell. Once 'ethers' is reinstalled, the modifications are reintroduced, granting attackers continued access. ReversingLabs detected the threat using their Spectra platform and have developed a YARA rule to identify compromised systems. While ethers-providerz has been removed, ethers-provider2 remains available, posing a substantial risk, especially if such tactics are deployed against more popular npm packages in the future.
References :
This campaign showcases a sophisticated approach to software supply chain attacks. The malicious packages act as downloaders, patching the 'ethers' library with a reverse shell. Once 'ethers' is reinstalled, the modifications are reintroduced, granting attackers continued access. ReversingLabs detected the threat using their Spectra platform and have developed a YARA rule to identify compromised systems. While ethers-providerz has been removed, ethers-provider2 remains available, posing a substantial risk, especially if such tactics are deployed against more popular npm packages in the future.
Share:
References :
- : Malicious npm Packages Deliver Sophisticated Reverse Shells
- Blog (Main): Malware found on npm infecting local package with reverse shell
- thehackernews.com: Malicious npm Package Modifies Local 'ethers' Library to Launch Reverse Shell Attacks
- hackread.com: New npm Malware Attack Infects Popular Ethereum Library with Backdoor
- www.bleepingcomputer.com: Two malicious packages were discovered on npm (Node package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor.
- The DefendOps Diaries: Explore a sophisticated npm attack revealing software supply chain vulnerabilities and the need for enhanced security measures.
- Datadog Security Labs: Introducing Supply-Chain Firewall: Protecting Developers from Malicious Open Source Packages
- www.csoonline.com: Malicious npm packages found to create a backdoor in legitimate code
- BleepingComputer: Infostealer campaign compromises 10 npm packages, targets devs
Classification:
- HashTags: #npm #SupplyChain #Malware
- Company: NPM
- Target: Developers
- Product: npm
- Feature: Reverse Shell
- Malware: ethers-provider2, ethers-providerz
- Type: Malware
- Severity: HighRisk