New Malware Attack Targets Popular Ethereum Library with Backdoor – Hackread
Security researchers recently uncovered a new malware campaign on the npm package repository that introduces a unique method of infecting developers’ systems. Unlike typical malware, this attack conceals malicious code within legitimate software already present on a user’s device.
The crux of this campaign revolves around two packages, ethers-provider2 and ethers-providerz, initially appearing as harmless downloaders. However, their primary function is to manipulate a popular npm package, ethers, commonly utilized for interacting with the Ethereum blockchain, by implanting a malicious file. This modified version of ethers creates a backdoor entry, granting malicious actors remote control over the compromised system.
What sets this attack apart is the exceptional effort put into obscuring the payload. ReversingLabs’ scrutiny reveals that the malware employs elaborate techniques to cover its tracks, including the deletion of temporary files employed during the infection process, a rarity in typical npm-based malware.
According to researchers, “These evasive techniques were more thorough and effective than we’ve observed in npm-based downloaders before.” Even if the initial malicious package is removed, there is no guarantee of safety as the altered ethers package can persist and re-infect if reinstalled.
The attack operates through the sequential download of multiple stages of malware. The initial downloader fetches a second stage that then scans for the presence of the ethers package. Upon detection, it replaces a crucial file with a modified version that triggers the download and execution of a final stage – a reverse shell granting attackers complete authority.
Although ethers-providerz has been taken down from npm, ethers-provider2 was still active, prompting researchers to notify npm maintainers. Further, researchers linked additional packages such as reproduction-hardhat and @theoretical123/providers to the same campaign, all of which have been successfully removed.
By releasing a YARA rule, ReversingLabs aims to assist developers in identifying potential compromises within their locally installed ethers package.
This event serves as a stark reminder that malicious packages remain a significant concern within the npm ecosystem. Despite a slight downtick in malware instances in 2024, threat actors continuously devise new tactics to infiltrate the software supply chain. Consequently, developers must exercise vigilance and adopt robust security measures to safeguard themselves and their projects.
In conclusion, the emergence of this sophisticated malware campaign underscores the ever-evolving threat landscape that developers and cybersecurity professionals must navigate carefully to mitigate risks effectively.
