Cybersecurity researchers have uncovered malicious npm packages designed to stealthily infect popular open-source libraries. This latest attack highlights how software supply chain threats are growing smarter—and harder to detect.
The two rogue packages, ethers-provider2 and ethers-providerz, were uploaded to the npm registry. One package racked up 73 downloads before detection. The second, likely removed by the attacker, didn’t get any downloads.
What makes this attack more dangerous is its persistence mechanism. Instead of only acting during installation, the malware secretly alters an existing package—ethers—installed locally on the developer’s system. This modification creates a backdoor that stays hidden, even if the malicious npm package is removed.
How the Attack Works
The research team at ReversingLabs revealed that ethers-provider2 was a trojanized clone of the ssh2 npm package. During installation, it runs a script that downloads a second-stage payload from a remote server. The script executes the payload and then deletes the temporary file to cover its tracks.
Once active, the malware starts scanning for the ethers library. If detected, it replaces a critical file—provider-jsonrpc.js—with a malicious version. This change allows attackers to trigger a reverse shell connection on demand, giving them full control over the infected machine.
Even if the original ethers-provider2 package is removed, the compromised ethers library remains infected. If a developer uninstalls ethers and reinstalls it later, the malware triggers again—ensuring long-term persistence.
What Makes Malicious npm Packages Alarming
The second package, ethers-providerz, used the same trick—this time targeting the @ethersproject/providers npm library. Its goal? Modify files silently and stay hidden inside legitimate projects.
Cybersecurity experts warn that this tactic raises the stakes in software supply chain attacks. Instead of a one-off infection, this method buries malicious code deep inside trusted libraries—making detection and removal much harder.
“Despite limited downloads, these malicious npm packages are highly dangerous,” says researcher Lucija Valentić from ReversingLabs. “If successful, they create hidden backdoors, maintain persistence, and compromise systems even after the malware is uninstalled.”
Why Developers Should Care
This attack serves as a wake-up call. Developers must double-check every npm package before installation, even those that seem harmless. It also proves that supply chain attacks can hit even well-known libraries without directly compromising the official versions.
The official ethers npm package remains safe, but this incident shows how local modifications can turn even trusted libraries into attack vectors.
With software supply chain attacks on the rise, staying vigilant has never been more critical. Developers should regularly audit dependencies, use verified sources, and monitor projects for unexpected changes.
