- Reversing Labs security researchers find two malicious packages in NPM
- These serve as destination software downloaders and developers that are based on the Ethereum block chain
- Malware opens an inverse housing and gives attackers access to destination computers
Recently, two malicious packages were discovered in the NPM repository using doubtful rear doors to go to its users.
Reversing Labs cybersecurity researchers discovered two packages that were charged to the popular repository in early 2025 called “Esters-Provider2” and “Esther-Providerz”, carefully chosen names to deceive the victims to think they have something to do with a legitimate package called “Esters”.
The Ethers package in NPM is a JavaScript library to interact with the Ethereum block chain, allowing developers to send transactions, implement intelligent contracts and read blockchain data. It provides a simple and safe API to work with Ethereum wallets, intelligent contracts and decentralized applications (DAPPS).
False updates
The two malicious packages served as downloaders, “updating” the legitimate package and turning it sour.
“These were simple downloaders whose malicious payload was intelligently hidden, with a second stage that” patch “the legitimate package of NPM ethers, locally installed, with a new file that contains the malicious payload,” explained the researchers. “That patched file finally serves an reverse shell.”
With a reverse shell, the attackers force the victim’s computer to start a connection back to the hacker machine, granting them the ability to run commands, steal data or install malware, while successfully spend the firewalls and similar security measures.
For Reversing Lab researchers, the approach is “highly sophisticated.”
Since the malware goes to the Ethers package, it is safe to assume that the victims here are blockchain developers who work on the Ethereum platform. And given that malware can act as an Infoptealer, it is also safe to assume that threat actors are looking for people’s cryptocurrencies.
As usual, the best way to mitigate the threat and protect against these attacks is to be very careful when downloading open source packages.
Through Bleepingcomputer
