Sophisticated npm Attack Infects Legitimate Packages with Persistent Reverse Shell Backdoors, Researchers Warn

Continue reading
Researchers at Reversing Labs have identified a troubling trend in software supply chain security: two malicious npm packages—ethers-provider2 and ethers-providerz—that stealthily compromise legitimate Ethereum development tools by installing a persistent reverse shell backdoor. This insidious method ensures that the backdoor remains operational even after the malicious packages are removed, underscoring a serious threat to the open-source ecosystem. This finding highlights the vulnerability inherent in developer workflows dependent on public repositories like npm, as even packages with minimal download counts can pose significant systemic risks.
The campaign, detected during routine supply chain security audits, leverages typosquatting—a technique where attackers mimic popular package names—to target developers using the ethers.js library, a cornerstone of Ethereum blockchain interactions. Both malicious packages masquerade as legitimate ethers.js dependencies but execute a multi-stage attack:
Upon installation, ethers-provider2 triggers a modified `install.js` script to fetch a second-stage payload from a remote server. The payload executes immediately and self-deletes to erase forensic traces.
The second payload scans for installations of the authentic ethers or @ethersproject/providers packages. Once identified, it replaces the legitimate `provider-jsonrpc.js` file with a trojanized version.
The injected code retrieves a final payload enabling a reverse shell connection to the attacker’s IP (`5.199.166.1:31337`). This backdoor, built on a modified `ssh2` client, mimics legitimate SSH traffic to evade detection, granting attackers persistent remote access.
_“The malware’s layered obfuscation and self-destruct mechanisms make forensic analysis exceptionally challenging,”_ Reversing Labs noted in a technical advisory.
Unlike conventional malware that depends on the presence of malicious packages, this campaign embeds itself into trusted dependencies. Even if developers remove ethers-provider2 or ethers-providerz, the compromised ethers.js files retain the backdoor.
_“This persistence mechanism is a nightmare scenario,” emphasized a Reversing Labs spokesperson. “Attackers no longer need their malware to stay installed. They’ve found a way to ‘burn’ their payload into widely used tools, making remediation a manual, labor-intensive process.”_
Researchers identified two additional packages—reproduction-hardhat and @theoretical123/providers—linked to the same infrastructure. Notably, early versions of ethers-providerz contained path errors that crippled their functionality, prompting the author to withdraw the package temporarily. Reversing Labs warns the threat actor may re-release a patched version, heightening the need for vigilance.
As of publication, ethers-provider2 remains downloadable from npm, though its second-stage payload server is offline, potentially neutralizing active infections. Reversing Labs has shared a YARA rule to help organizations detect remnants of the attack.

Backdoor.Daxin, the kernel-mode rootkit Symantec once called the most advanced tool ever tied to a China-linked espionage actor, has been found running again