National Cyber Warfare Foundation (NCWF)

Malware found on npm infecting local package with reverse shell
0 user ratings		2025-03-26 13:08:54
milo
Blue Team (CND)

Malware found on npm infecting local package with reverse shell

Unlike some other public repositories, the npm package repository is never really quiet. And, while there has been some decline in malware numbers between 2023 and 2024, this year's numbers don’t seem to continue that downward trend. Still, while RL has detected some interesting npm malware so far this year, none of it warranted a detailed writeup.


Then March rolled around, and two very interesting packages were published on npm: ethers-provider2 and ethers-providerz. These were simple downloaders whose malicious payload was cleverly hidden, with a second stage that “patches” the legitimate npm package ethers, installed locally, with a new file containing the malicious payload. That patched file ultimately serves a reverse shell.  


This approach reveals a high level of sophistication on the threat actor’s part that deserves some further analysis and exploration. 


The post Malware found on npm infecting local package with reverse shell appeared first on Security Boulevard.



Lucija Valentić

Source: Security Boulevard
Source Link: https://securityboulevard.com/2025/03/malware-found-on-npm-infecting-local-package-with-reverse-shell/?utm_source=rss&utm_medium=rss&utm_campaign=malware-found-on-npm-infecting-local-package-with-reverse-shell

Comments
new comment
Nobody has commented yet. Will you be the first?
  
Forum
Blue Team (CND)


Copyright 2012 through 2025 - National Cyber Warfare Foundation - All rights reserved worldwide.