- Researchers in Reversing Labs safety find two malicious packages on NPM
- These serve as downloads and target software developers based on Ethereum blockchain
- Malware opens an inverted shell and grants attackers access to target computers
Two malicious packages were recently discovered on the NPM frame of reference using dubious deadlines to target their users.
The cybersecurity researchers of overturning Labs discovered two packages which were downloaded in the popular benchmark in early March 2025 named “Ethers-Provider2” and “Ethers-Providerz”-names carefully chosen to encourage victims to think that they have something to do with a legitimate package called “Ethers”.
The Ethers on NPM package is a JavaScript library to interact with the Ethereum blockchain, allowing developers to send transactions, deploy smart contracts and read blockchain data. It provides a simple and secure API to work with Ethereum portfolios, smart contracts and decentralized applications (DAPP).
False updates
The two malicious packages served as downloaders, “updating” the legitimate package and the sour turning point.
“These were simple downloaders whose malicious payload was intelligently hidden, with a second step which” patch “the legitimate ethers of the NPM package, installed locally, with a new file containing the malicious payload”, explained the researchers. “This corrected file is ultimately served an inverted shell.”
With an inverted shell, the attackers oblige the victim’s computer to launch a connection to the pirate machine, by granting them the possibility of executing commands, stealing data or installing malicious software, while successfully bypassing firewalls and similar security measures.
For Researchers from Reversing Labs, the approach is “very sophisticated”.
Since the malware targets the Ethers package, it is sure to assume that the victims here are blockchain developers working on the Ethereum platform. And as malicious software can act as an infostaler, it is also sure to suppose that threat actors opt for people cryptocurrencies.
As usual, the best way to mitigate the threat and protect against these attacks is to be very careful when downloading open source packages.
Via Bleeping Compompute
