Introduction
A recent malware campaign has been identified targeting the npm package repository. This campaign utilizes malicious packages, specifically “ethers-provider2” and “ethers-providerz,” to execute sophisticated multi-stage attacks that create backdoors on infected systems. These packages disguise themselves as legitimate tools, posing significant risks to software supply chains.
Description
A malware campaign has been identified targeting the npm package repository, utilizing malicious packages named “ethers-provider2” and “ethers-providerz” to deploy sophisticated multi-stage attacks that create backdoors on infected systems. These packages masquerade as legitimate tools [9], with ethers-provider2 being a trojanized version of the widely-used ssh2 package [3], which has over 350 million downloads [9]. They modify the widely used ethers package [1] [9], which interacts with the Ethereum blockchain [1], to include malicious files that enable attackers to gain remote access to compromised systems.
Ethers-provider2 has been downloaded 73 times since its release on March 15, 2025 [3], while ethers-providerz [1] [3] [4] [5] [6] [7] [8] [9] [10], which contains coding errors and is likely a test version, did not attract any downloads and has been removed by its creator [3]. Both packages function as downloaders with hidden malicious payloads that compromise the legitimate ethers package by injecting a multi-stage reverse shell payload. Upon installation [1] [3] [4] [7] [8] [9] [10], ethers-provider2’s installation script executes a second-stage malware file that self-deletes to evade detection [9], while also downloading additional malware components from a specified remote server. This second-stage payload checks for the presence of the legitimate ethers package and [3] [4] [10], once detected [8], replaces a critical file [1] [7] [8], provider-jsonrpc.js [3] [4] [9] [10], with a compromised version that facilitates the download of a third-stage payload, ultimately establishing a reverse shell connection to the attacker’s server over SSH [3] [4] [7] [10].
Additionally, ethers-provider2 creates and executes a malicious loader.js file to maintain the infection even after its removal. The persistence of the modified ethers package can lead to re-infection upon reinstallation, allowing attackers to maintain access to compromised systems [1].
Detection of these malicious packages has been aided by their low download counts and the presence of non-obfuscated malicious code in the install scripts [10]. Recent efforts to detect these threats have included the development of a YARA rule aimed at identifying compromised npm packages [2]. Following the discovery of ethers-provider2 and ethers-providerz, additional potentially linked packages [4], including “reproduction-hardhat” and “@theoretical123/providers,” were identified and subsequently removed from npm. The persistence of the malicious functionality [10], even after the removal of ethers-provider2 [10], underscores the significant software supply chain risks associated with such threats, emphasizing the need for enhanced security measures to combat them [4]. The official ethers package remains uncompromised [3] [8], as the malicious modifications occur locally after installation [3], highlighting the evolving tactics of threat actors in deploying and maintaining malware within developer environments [3]. Developers are advised to exercise caution when downloading from open-source repositories and to maintain strong security practices to protect against such threats.
Conclusion
The discovery of the malicious packages “ethers-provider2” and “ethers-providerz” highlights the ongoing threats to software supply chains. The persistence of these threats, even after removal [6], underscores the need for robust security measures and vigilance in monitoring open-source repositories. Developers must adopt stringent security practices to safeguard against such sophisticated attacks, ensuring the integrity of their development environments. As threat actors continue to evolve their tactics, the importance of proactive threat detection and mitigation strategies becomes increasingly critical.
References
[1] https://hackread.com/npm-malware-infects-ethereum-library-with-backdoor/
[2] https://www.hendryadrian.com/malware-found-on-npm-infecting-local-package-with-reverse-shell/
[3] https://codesanitize.com/malicious-npm-bundle-modifies-native-ethers-library-to-launch-reverse-shell-assaults/
[4] https://cybersecuritynews.com/new-npm-attack-infecting-local-packages/
[5] https://gixtools.net/2025/03/malicious-npm-package-modifies-local-ethers-library-to-launch-reverse-shell-attacks/
[6] https://thenimblenerd.com/article/npm-nightmare-malicious-packages-turn-trusted-code-into-trojan-horses/
[7] https://www.infosecurity-magazine.com/news/malicious-npm-packages-deliver/
[8] https://tnsafety.com/sophisticated-npm-package-malware-injects-persistent-reverse-shell
[9] https://www.wizcase.com/news/npm-malware-ethers-backdoor-hackers/
[10] https://securityboulevard.com/2025/03/malware-found-on-npm-infecting-local-package-with-reverse-shell/
