NPM Nightmare: Malicious Packages Sneakily Install Unremovable Backdoors!
Reversing Labs discovered two npm packages, ethers-provider2 and ethers-providerz, that stealthily patch legitimate packages with a reverse shell backdoor. Even after uninstalling the malicious packages, the backdoor persists. This sneaky cyber plot highlights the importance of scrutinizing package legitimacy and peeking under the hood before downloading.
Hot Take:
Why hire a magician to make things disappear when you can just use malicious npm packages? Voilà! Hackers have found a way to linger like that one friend who just won’t leave the party. Even after you think you’ve booted them out, they’re still chilling in your ‘ethers’ package, sipping on your data like a fancy cocktail.
Key Points:
– Two malicious npm packages, ‘ethers-provider2’ and ‘ethers-providerz’, were discovered injecting reverse shell backdoors.
– Removing these packages doesn’t remove the backdoor from the victim’s system.
– The attack leverages a modified ‘install.js’ script to download additional malicious payloads.
– The attackers employ advanced techniques to hide the malicious payloads and mimic legitimate software behavior.
– Researchers recommend vigilance when downloading packages and have provided a YARA rule for detection.