New npm attack poisons local packages with backdoors
Researchers at Reversing Labs identified two malicious packages on npm targeting the ‘ethers' package: ‘ethers-provider2' and ‘ethers-providerz.' These packages stand out because they download a secondary malware stage that monitors the legitimate ‘ethers' package, then swaps its ‘provider-jsonrpc.js' with a trojanized version. This trojanized file downloads a third-stage malware that creates a reverse shell to a malicious IP address. Reversing Labs emphasizes the severity of this issue, as removing the malicious package does not eliminate the risk since the trojanized legitimate package can still harbor the malware.