{
  "name": "Malware found on npm infecting local package with reverse shell",
  "slug": "malware-found-on-npm-infecting-local-package-with-reverse-shell",
  "description": "A sophisticated malware campaign targeting npm packages has been discovered, involving two malicious packages: ethers-provider2 and ethers-providerz. These packages act as downloaders, hiding their malicious payload cleverly. Upon installation, they patch the legitimate locally-installed npm package 'ethers' with a new file containing malicious code. This patched file ultimately serves a reverse shell, connecting to the threat actor's server. The malware employs evasive techniques, maintaining persistence even after removal of the original malicious package. This approach demonstrates a high level of sophistication and poses a significant threat to software supply chain security. The campaign also includes other related packages, highlighting the growing scope of risks for both software producers and end-user organizations.",
  "published": "2025-03-26T15:55:35+00:00",
  "created_at": "2025-03-26T15:55:35+00:00",
  "modified_at": "2025-03-26T16:20:41+00:00",
  "created_at_opencti": "2025-03-26T15:55:35+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-03-26",
    "ethers-provider2",
    "ethers-providerz",
    "javascript",
    "npm",
    "package-infection",
    "persistence",
    "reverse shell"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "5.199.166.1"
      }
    ],
    "attack_patterns": [
      {
        "id": "beaa4978-0309-438b-a45e-ec566b643811",
        "name": "T1505.003"
      },
      {
        "id": "14ea0786-b57c-4a30-8e4e-46944d17eb18",
        "name": "T1036.004"
      },
      {
        "id": "e7d42089-23ed-495f-a2bc-c942c4e56fb7",
        "name": "T1573.002"
      },
      {
        "id": "9e784d22-5a6c-4da6-968a-5fab2f019efd",
        "name": "T1059.005"
      },
      {
        "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2",
        "name": "T1059.007"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd",
        "name": "T1036.005"
      },
      {
        "id": "96df92ce-da3e-4c6d-8250-cb250c9ed619",
        "name": "T1554"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      }
    ]
  },
  "external_refs": [
    "https://www.reversinglabs.com/blog/malicious-npm-patch-delivers-reverse-shell",
    "https://otx.alienvault.com/pulse/67e43187834511a9e1562b6e"
  ]
}