The ethers-providerz package deal is similar to ethers-provider2, however earlier variations reveal the attackers experimented with totally different approaches till touchdown on the present implementation. For instance, in that model the attackers tried to patch recordsdata from a package deal referred to as @ethersproject/suppliers.
Additionally, the extra file loader.js that comprises the obtain code for the third-stage payload is created within the node_modules folder, the place normally all npm packages reside. The fascinating half is that there’s a legit npm package deal referred to as loader.js that has over 24 million downloads and 5,200 dependent functions. If this package deal is already current domestically, the malware will patch it. If it’s not, it should impersonate it.
“Whereas not as widespread as infostealers on the npm platform, downloaders are removed from unusual and are continuously encountered,” the ReversingLabs researchers stated. “Nevertheless, this downloader is notable due to the distinctive methods employed by the attackers to cover the malicious payload it delivered. These evasive methods have been extra thorough and efficient than we’ve got noticed in npm-based downloaders earlier than.”
