Cybersecurity experts have identified two malicious packages on the npm registry, marking an alarming evolution in software supply chain attacks aimed at the open-source ecosystem. The identified packages, ethers-provider2 and ethers-providerz, have been found to exploit existing packages installed on users’ systems, changing the landscape of threats facing developers.
The ethers-provider2 package, published on March 15, 2025, has been downloaded 73 times. Unfortunately, some users unknowingly introduced potential vulnerabilities to their systems. The secondary package, ethers-providerz, appears to have been removed by its author without attracting any downloads.
According to ReversingLabs researcher Lucija Valentić, the malicious payload embedded in these packages is cleverly disguised as simple downloaders. Their true intent reveals itself during execution when they ‘patch’ the legitimate npm package ethers installed locally with harmful code capable of establishing a reverse shell.
Notably, removing the malicious packages does not restore system integrity, as changes made to the original ethers package persist. This enables the threat actor to regain access if the code is reapplied, as removing the ethers package without eliminating ethers-provider2 could lead to reinfection during future installations.
Further analysis reveals that ssh2 was repurposed as a trojanized version within the ethers-provider2 package, executing malicious commands to fetch additional malware from a remote server. The installation script conducts data retrieval operations while attempting to erase traces of its presence.
Moreover, the functionalities are designed to endure persistent attacks on developer environments, as evidenced by the secondary package’s similar attack vector targeting the @ethersproject/providers. Developer caution is highly advised given the deceptive appearances of these packages.
As attacks grow increasingly sophisticated, the cybersecurity community stresses the need for vigilance, especially when utilizing open-source libraries and packages. Thorough audits and scrutiny of external packages remain essential to keeping development environments secure.