Security researchers have uncovered two malicious npm packages that stealthily modify legitimate, locally installed libraries to embed a persistent reverse shell backdoor—even after the original malicious code is deleted.
The stealthy threat was identified by cybersecurity experts at Reversing Labs, who emphasized the potential risk despite the packages not seeing widespread downloads.
"It's not unusual to encounter downloaders on npm; they are maybe not as common as infostealers, but they are far from uncommon," explains Reversing Labs.
"However, this downloader is worth discussing because of the exceptional strategies employed by the attackers to hide the malicious payload it delivered."
The malicious packages—'ethers-provider2' and 'ethers-providerz'—were found during Reversing Labs’ routine inspections of the open-source supply chain.
The 'ethers-provider2' package, still available on npm at the time of reporting, is built off the popular 'ssh2' npm package. However, its install.js script is altered to fetch a second-stage payload from a remote server. Once executed, this payload is deleted to avoid detection.
It then looks for the legitimate 'ethers' package, and if present, replaces its provider-jsonrpc.js file with a trojanized version. This new file contacts a remote server to download a third-stage payload, effectively establishing a reverse shell using a tampered SSH client that imitates the real SSH2 module.
The alarming part? Uninstalling the original malicious package does not remove the infected ethers package, leaving the backdoor in place.
Similarly, 'ethers-providerz' mirrors this behavior but targets the @ethersproject/providers package. Its goal, based on code analysis, is the same: to patch the library and create a reverse shell pointing to the malicious IP (5[.]199[.]166[.]1:31337).
Earlier versions of this package had path errors, making them ineffective, but the author has since removed it from npm, potentially to re-upload a corrected version later.
Researchers also flagged two additional packages, 'reproduction-hardhat' and '@theoretical123/providers', as likely part of the same coordinated attack.
To help developers detect such threats, Reversing Labs has released a YARA rule targeting the known malware associated with this campaign. They strongly advise developers to regularly scan their environments and inspect packages for suspicious activity.
As a general rule, it’s critical to verify package integrity and authorship when downloading from platforms like npm or PyPI, and to watch for red flags such as obfuscated code or connections to external servers.
