Do Son 
Malicious actors have adopted a new tactic in their attacks on the npm ecosystem—two nefarious packages clandestinely modify legitimate libraries already installed on the system, embedding a reverse shell to maintain persistent access to the victim’s environment. Even after the malicious packages are removed, the backdoor remains operational, concealed within the altered version of a trusted package.
This highly unconventional method of compromise was reported by researchers at Reversing Labs, who were analyzing open software supply chains. While the malicious packages did not achieve widespread distribution, the researchers warn of the significant danger they pose. They note that although loaders for malicious code occasionally appear on npm—typically in the form of infostealers—this instance features an especially sophisticated payload concealment strategy that warrants particular scrutiny.
The identified packages are named “ethers-provider2” and “ethers-providerz.” The former, which remained accessible on npm at the time of publication, is based on the popular “ssh2” library. However, unlike its legitimate counterpart, it contains a modified install.js script. Upon installation, the script retrieves the second stage of the malicious code from an external source, executes it, and then erases itself in an attempt to leave no trace.
The second stage monitors the system for the presence of the widely-used “ethers” package. If found, it replaces the provider-jsonrpc.js file with a tampered version embedding malicious code. This injected code connects to a remote host, from which it downloads a third-stage payload—a fully functional reverse shell. The shell is implemented using a modified SSH client, carefully disguised to mimic legitimate behavior of the ssh2 library.
The gravest danger lies in the persistence of the backdoor: removing “ethers-provider2” does not eliminate the infection. The compromised file within the ethers package remains active, leaving the system vulnerable even after the malicious module is uninstalled.
The second malicious package, “ethers-providerz,” follows a similar blueprint but targets a different module—@ethersproject/providers. It likewise injects a payload into a legitimate library and establishes a reverse shell pointing to the same attacker-controlled IP address: 5[.]199[.]166[.]1:31337.
According to Reversing Labs, earlier versions of “ethers-providerz” contained file path errors that prevented successful execution. However, the author has since removed the package from npm, possibly with the intent of refining and republishing it. During their investigation, the researchers also identified two additional suspicious packages—“reproduction-hardhat” and “@theoretical123/providers”—which may be tied to the same malicious campaign.
To aid in detection, Reversing Labs has released a YARA rule designed to identify known components of the malware. Developers are strongly encouraged to audit their environments for indicators of compromise.
Security analysts emphasize the critical importance of scrutinizing source code and verifying developer authenticity when installing packages from public repositories like npm or PyPI. Special attention should be paid to obfuscated code, unexplained external connections, and suspicious behavior within installation scripts.
