Cybersecurity experts have identified two rogue packages on the npm registry that have been designed to compromise a locally installed package, demonstrating the ongoing evolution of software supply chain attacks targeting the open-source ecosystem.
The packages in question, ethers-provider2 and ethers-providerz, have been found to be malicious, with the former having been downloaded 73 times since its publication on March 15, 2025. The latter package, which was likely removed by the malware author, did not attract any downloads.
According to ReversingLabs researcher Lucija Valentić, “They were simple downloaders whose malicious payload was cleverly hidden,” in a report shared with The Hacker News.
“The interesting aspect of these packages lies in their second stage, which would ‘patch’ the legitimate npm package ethers, installed locally, with a new file containing the malicious payload. This patched file would ultimately serve as a reverse shell.”
This development marks a new escalation of threat actors’ tactics, as removing the rogue packages won’t eliminate the malicious functionality from compromised machines, since the changes reside in the popular library. Furthermore, if an unsuspecting user removes the ethers package when ethers-provider2 remains on the system, it risks reinfection when the package is installed again at a later time.
ReversingLabs’ analysis of ethers-provider2 has revealed that it is essentially a trojanized version of the widely-used ssh2 npm package that includes a malicious payload within install.js to retrieve a second-stage malware from a remote server (“5.199.166[.]1:31337/install”), write it to a temporary file, and run it.
Upon execution, the temporary file is deleted from the system in an attempt to avoid leaving any traces. The second-stage payload then starts an infinite loop to check if the npm package ethers is installed locally.
In the event that the package is already present or gets freshly installed, it springs into action by replacing one of the files named “provider-jsonrpc.js” with a counterfeit version that packs in additional code to fetch and execute a third-stage from the same server. The newly downloaded payload functions as a reverse shell to connect to the threat actor’s server over SSH.
Valentić noted, “That means that the connection opened with this client turns into a reverse shell once it receives a custom message from the server. Even if the package ethers-provider2 is removed from a compromised system, the client will still be used under certain circumstances, providing a degree of persistence for the attackers.”
It is essential to note that the official ethers package on the npm registry is not compromised, as the malicious modifications are made locally post-installation.
The second package, ethers-providerz, also behaves similarly in that it attempts to alter files associated with a locally installed npm package called “@ethersproject/providers.” Although the exact npm package targeted by the library is unknown, source code references indicate it could have been loader.js.
These findings highlight the novel ways threat actors are serving and persisting malware in developer systems, making it crucial that packages from open-source repositories are carefully scrutinized before downloading and using them.
Valentić emphasized, “Despite the low download numbers, these packages are powerful and malicious. If their mission is successful, they will corrupt the locally installed package ethers and maintain persistence on compromised systems even if that package is removed.”
