In a recent development, security researchers have uncovered a sophisticated attack targeting the Node Package Manager (NPM) ecosystem. This campaign involves malicious packages named `ethers-provider2` and `ethers-providerz`, which employ advanced techniques to infiltrate and compromise developer environments. These packages act as downloaders, injecting malicious code into locally installed versions of the legitimate `ethers` package, ultimately establishing a reverse shell on the victim’s machine. This level of sophistication underscores the evolving nature of supply chain attacks within the open-source community.
The `ethers-provider2` Malware Delivery
The `ethers-provider2` package, available on NPM at the time of discovery, masquerades as the legitimate and widely used `ssh2` package. While it contains the authentic `ssh2` source code, it includes malicious additions designed to compromise systems upon installation.
Upon installation, the `install.js` file within `ethers-provider2` is altered to download a second-stage malware from a remote server. This downloaded script is executed and immediately deleted, a tactic uncommon in legitimate packages and indicative of malicious intent.
The second-stage malware operates by continuously checking for the presence of the legitimate `ethers` package on the local system. Once detected, it replaces the `provider-jsonrpc.js` file with a modified version containing malicious code that downloads and executes third-stage malware from the same remote server.
Additionally, the second-stage malware creates a `loader.js` file that replicates the “patching” functionality and executes it. The final stage involves establishing a reverse shell connection to the attacker’s server, utilizing an SSH client from the `ethers-provider2` package. This client, while functioning similarly to a legitimate `ssh2` client, is modified to receive specific messages that initiate the reverse shell. Critically, this reverse shell remains active even after the `ethers-provider2` package is removed, providing persistence for the attackers.
The `ethers-providerz` Package
The `ethers-providerz` package, part of the same campaign, had three versions, with the last two bearing similarities to `ethers-provider2`. The first version appeared to be a test version with non-functional components. The malicious payload, located in the `install.js` script, attempts to patch files of the `@ethersproject/providers` package. However, the file paths were incorrectly defined, leaving the specific target package uncertain.
The payload also creates and executes a malicious `loader.js` file in the `node_modules` folder, which downloads the second stage from the same remote server as `ethers-provider2`. The threat actor may have been attempting to “patch” a common, legitimate, and locally installed NPM package with a nearly identical version containing malicious code.
Additional Malicious Packages
Following the discovery of `ethers-provider2` and `ethers-providerz`, researchers identified additional packages potentially linked to the campaign: `reproduction-hardhat` and `@theoretical123/providers`. Both packages have been removed from NPM. This campaign highlights the growing software supply chain risks for both software producers and end-user organizations.
Implications and Recommendations
Despite a decrease in malware on open-source repositories in 2024, malicious actors remain actively involved in distributing malicious packages to developers. The sophistication of this attack, particularly the persistence mechanism, underscores the need for heightened vigilance within the developer community.
To mitigate such risks, developers and organizations should:
1. Verify Package Authenticity: Before installing any package, especially those with names similar to popular libraries, verify the authenticity of the package and its maintainers.
2. Implement Strict Version Control: Use strict version control policies to prevent unauthorized or unintended package updates.
3. Regularly Audit Dependencies: Conduct regular audits of project dependencies to identify and remove any malicious or unnecessary packages.
4. Utilize Security Tools: Employ security tools that can detect and prevent the installation of malicious packages.
By adopting these practices, developers can enhance the security of their projects and contribute to the overall integrity of the open-source ecosystem.
