Malicious npm packages found to create a backdoor in legitimate code – Source: www.csoonline.com

Attackers who target developers through malicious packages hosted on the npm repository are using a new persistence technique that involves backdooring legitimate packages already installed in victims’ local environments.

This tactic complicates incident response and infection clean-up efforts because it allows attackers to maintain access to the compromised development environments even after the malicious npm package is discovered and removed.

“While there was a drop in instances of malware discovered on open-source repositories like npm and PyPI in 2024, threat actors have not lost interest in promoting malicious packages to open-source developers,” researchers from cybersecurity firm ReversingLabs said in a report. “This latest campaign is evidence that the risk of downloading malware and compromising development environments and networks remains high, while novel ways of serving malicious payloads are emerging.”

Second-stage local package patching

The ReversingLabs researchers have identified two rogue packages hosted on the npm registry that exhibit the new infection behavior. One is called ethers-provider2, and the other ethers-providerz. Judging by their names, they are intended to pose as software libraries related to the Ethereum cryptocurrency chain. However, their code is copied from unrelated popular packages.

For example, ethers-provider2 is an almost verbatim copy of the ssh2 package, which provides an SSH2 client and server module written in JavaScript. The ssh2 package has over 350 million downloads and 1,600 dependent applications.

“The ethers-provider2 package contains the ssh2 source code, adding some malicious elements to it,” the researcher said. “So, the whole package functions exactly how the ssh2 package would — with something extra.”

The modified file is install.js, which is executed during installation and to which attackers added instructions to download a second-stage malware payload from a remote server. This payload is saved to a temporary file that gets deleted after execution.

This second-stage malware checks in a loop if the legitimate npm package ethers is installed locally. Ethers is described as a “compact Ethereum library, for apps, wallets and any other tools” and has over 185 million downloads.

If this package is installed locally, the malware modifies or patches its provider-jsonrpc.js file to include malicious code that, when run, downloads and executes a third-stage malware payload.

“The second-stage malware also creates a file, loader.js, which writes code with the same functionality as the malicious code used to ‘patch’ the ethers’ file, and then runs it,” the researchers said.

The reason for this apparent duplication of functionality is that the patching of the ethers package is just a backup persistence mechanism that will be triggered in the future whenever the ethers package is executed by the victims as part of a project. But until then, the attackers want the infection chain to complete and they need the third-stage payload to be deployed.

Attackers open a reverse shell

This payload is a reverse shell that uses the ssh2 client functionality from the original ethers-provider2 to establish an SSH connection to an attacker-controlled server. The ethers-provider2 ssh client code is modified to listen to certain messages from the server and turn into a reverse shell, meaning the server can send commands to the client in order for them to be executed locally on the victim machine that is acting as a remote shell for the attackers.

The ethers-providerz package is very similar to ethers-provider2, but earlier versions reveal the attackers experimented with different approaches until landing on the current implementation. For example, in that version the attackers tried to patch files from a package called @ethersproject/providers.

Also, the additional file loader.js that contains the download code for the third-stage payload is created in the node_modules folder, where usually all npm packages reside. The interesting part is that there is a legitimate npm package called loader.js that has over 24 million downloads and 5,200 dependent applications. If this package is already present locally, the malware will patch it. If it’s not, it will impersonate it.

“While not as common as infostealers on the npm platform, downloaders are far from uncommon and are frequently encountered,” the ReversingLabs researchers said. “However, this downloader is notable because of the exceptional strategies employed by the attackers to hide the malicious payload it delivered. These evasive techniques were more thorough and effective than we have observed in npm-based downloaders before.”

Detection and mitigation

The problem is if the ethers-providerz and ethers-provider2 packages are removed, the malicious functionality they injected into the legitimate ethers package would still remain. Because of this, the ReversingLabs researchers created a YARA scanning rule that can help security teams and developers check if the locally installed instance of the ethers package has malicious code injected into it.

Moreover, after completing their initial research, additional packages have been found that were likely connected to the same malicious campaign: reproduction-hardhat and @theoretical123/providers. While all of these packages have been removed from npm, they need to be removed from local installations as well if they were ever deployed.

The ReversingLabs team has published a list of indicators of compromise, such as file hashes for the different versions of these malicious packages, which can help security teams create scanning rules.