Malicious npm packages secretly install advanced reverse shells for unauthorized access.
In a recent discovery, malicious NPM packages have been identified as part of a new campaign delivering reverse shells to attackers' servers. Researchers at ReversingLabs uncovered two such packages, ethers-provider2 and ethers-providerz, using their Spectra platform.
The ethers-provider2 package, designed to mimic the legitimate ssh2 package, embeds harmful code within its installation script. Upon execution, it downloads a second-stage payload from an external server and executes it before erasing traces. If the ethers package is reinstalled after ethers-provider2 has been executed, the malicious modifications will be reintroduced.
Ethers-providerz, on the other hand, attempts to patch files within @ethersproject/providers. However, its malicious code contains incorrect file paths, indicating an incomplete implementation. Despite this, it poses a threat as it monitors for the installation of the legitimate ethers package and replaces a key file with a compromised version to retrieve a third-stage payload.
Further investigation uncovered additional related packages, "reproduction-hardhat" and "@theoretical123/providers," both of which were removed from npm after their malicious behavior was reported.
ReversingLabs has developed a YARA rule to identify systems where the ethers package has been modified. They warn that the threat actors made sure their malicious functionality would persist, even if the malicious package ethers-provider2 is removed.
Despite low download numbers, the risk remains substantial, particularly if such tactics are used against more popular NPM packages in future attacks. This latest campaign is evidence that the risk of downloading malware and compromising development environments and networks remains high.
Being alert to supply chain threats and attacks is crucial since there are many malicious packages lurking on npm, serving malware in various ways. It is essential to ensure that packages are verified before use and to keep software up-to-date to minimise the risk of infection.
The ethers-providerz package has been removed from npm, while ethers-provider2 remains available. The organization behind the discovery of these malicious packages is not directly mentioned in the search results; however, similar malicious packages using comparable techniques were identified and removed by security researchers and the npm security team.
This news underscores the evolving landscape of software supply chain attacks, focusing on long-term persistence and stealth. It serves as a reminder for developers to prioritise security measures and stay vigilant in the face of these threats.
Read also:
- Mural at blast site in CDMX commemorates Alicia Matías, sacrificing life for granddaughter's safety
- Microsoft's Patch Tuesday essential fixes: 12 critical vulnerabilities alongside a Remote Code Execution flaw in SharePoint
- British intelligence agency MI6 establishes a covert dark web platform named 'Silent Courier' in Istanbul for the purpose of identifying and enlisting secret agents.
- Russia intends to manufacture approximately 79,000 Shahed drones by the year 2025, according to Ukraine's intelligence.
