Security researchers at Reversing Labs have uncovered a sophisticated supply chain attack targeting the npm ecosystem, specifically affecting Ethereum development libraries. The attack involves two malicious packages that demonstrate advanced persistence capabilities, remaining active even after their removal from the system.
Advanced Persistent Threat: Understanding the Attack Mechanism
The discovered malicious packages, ethers-provider2 and ethers-providerz, implement a multi-stage attack strategy targeting popular Ethereum development tools. The primary package leverages the widely-used ssh2 library as a foundation, incorporating a modified install.js script that fetches and executes additional malicious payloads while automatically concealing traces of its activity.
Multi-Stage Infection Process Reveals Sophisticated Tactics
The attack’s second stage involves a clever manipulation of the legitimate ethers package. Upon detecting its presence, the malware replaces the original provider-jsonrpc.js file with a compromised version. This modified component subsequently downloads a third-stage payload, establishing a reverse shell through a disguised SSH client, demonstrating the attackers’ sophisticated operational security measures.
Technical Analysis of the Secondary Attack Vector
The companion package, ethers-providerz, employs similar attack techniques but targets the @ethersproject/providers library specifically. Both packages ultimately establish communication with the same command and control server (5[.]199[.]166[.]1:31337), indicating a coordinated attack campaign. Early versions of this package contained implementation flaws, leading to their removal from the repository.
Detection and Mitigation Strategies
Security researchers have identified additional potentially related packages, including reproduction-hardhat and @theoretical123/providers, expanding the scope of this threat. To combat this attack vector, Reversing Labs has developed specialized YARA rules enabling organizations to detect traces of this malicious campaign within their development environments.
This incident highlights the evolving sophistication of software supply chain attacks and emphasizes the critical importance of implementing robust security measures in development workflows. Organizations should implement automated security scanning tools, conduct regular dependency audits, and maintain strict version control practices. Development teams are strongly advised to verify the authenticity of all third-party packages and implement comprehensive security monitoring solutions to protect against similar supply chain compromises.
