The ethers-providerz package is very similar to ethers-provider2, but earlier versions reveal the attackers experimented with different approaches until landing on the current implementation. For example, in that version the attackers tried to patch files from a package called @ethersproject/providers.
Also, the additional file loader.js that contains the download code for the third-stage payload is created in the node_modules folder, where usually all npm packages reside. The interesting part is that there is a legitimate npm package called loader.js that has over 24 million downloads and 5,200 dependent applications. If this package is already present locally, the malware will patch it. If it’s not, it will impersonate it.
“While not as common as infostealers on the npm platform, downloaders are far from uncommon and are frequently encountered,” the ReversingLabs researchers said. “However, this downloader is notable because of the exceptional strategies employed by the attackers to hide the malicious payload it delivered. These evasive techniques were more thorough and effective than we have observed in npm-based downloaders before.”