Skip to main content

Cybersecurity researchers have discovered malicious npm packages that are exfiltrating sensitive data.



Cybersecurity researchers have recently detected a new group of malicious packages in the npm package registry that have been designed to extract sensitive developer information.


Phylum, a software supply chain firm, was the first to identify these "test" packages on July 31, 2023. Shortly after their discovery, the packages were removed and re-uploaded under different names that appeared legitimate. The motive behind this campaign remains unclear, but it is suspected to be targeted at the cryptocurrency sector due to references to modules like "rocketrefer" and "binarium."


All the packages were published by a user named malikrukd4732. Each module shares a common feature: the ability to execute JavaScript ("index.js") code, which can then exfiltrate valuable information to a remote server. This code is spawned in a child process by the "preinstall.js" file, which is executed upon package installation, initiating the execution of all the contained code.


The first step of the malicious code involves gathering the current operating system username and the current working directory. This information is then sent in a GET request to 185.62.57[.]60:8000/http. The exact purpose of this action is currently unknown, but it is believed that the data could be used to trigger "unseen server-side behaviors."


The script then proceeds to search for files and directories with specific extensions, such as .env, .svn, .gitlab, .hg, .idea, .yarn, .docker, .vagrant, .github, .asp, .js, .php, .aspx, .jspx, .jhtml, .py, .rb, .pl, .cfm, .cgi, .ssjs, .shtml, .env, .ini, .conf, .properties, .yml, and .cfg.


Once the data is harvested, including potentially sensitive credentials and intellectual property, it is transmitted to the server in the form of a ZIP archive file.


The attack highlights the exploitation of open-source repositories to distribute malicious code, with other examples, like a PyPI campaign, identified by ReversingLabs and Sonatype. In this campaign, suspicious Python packages such as VMConnect, quantiumbase, and ethter were used to contact a command-and-control (C2) server and attempt to download an unspecified Base64-encoded string with additional commands.


To deceive developers and appear trustworthy, the threat actors created corresponding repositories on GitHub with legitimate-looking descriptions, omitting the malicious behavior.


Previously, in early July 2023, ReversingLabs exposed a group of 13 rogue npm modules as part of a campaign called Operation Brainleeches. These modules were collectively downloaded about 1,000 times and facilitated credential harvesting via bogus Microsoft 365 login forms launched from JavaScript email attachments. The npm modules were used to host files for email phishing attacks and supply chain attacks against developers.


The fraudulent npm packages were posted between May 11 and June 13, 2023, and some were used to implant credential harvesting scripts into applications.


This activity highlights the abuse of legitimate services like jsDelivr, a content delivery network (CDN) for npm packages, for malicious purposes.

Popular posts from this blog

Signal Introduces Usernames for Encrypted Messaging: A Secure Way to Connect

Signal, the encrypted messaging service, is launching a new feature in the coming weeks: support for usernames. This beta feature allows users to establish unique usernames, enabling connections without divulging phone numbers. source: Signal Blog To create a username, navigate to your settings and select "Profile." Once you've chosen a unique username, generate a QR code or link to share with others. Recipients can connect by entering your username into the chat bar. Usernames can be changed at any time, though previous usernames may be claimed by others. Signal began testing usernames last fall. Unlike social media platforms, Signal usernames do not serve as logins or public handles. They offer a discreet means of communication without revealing personal phone numbers. While a phone number is required to register for Signal, sharing it is optional. Usernames remain private and do not appear on profiles or in chats unless shared explicitly. As Randall Sarafa, Signal'

Safeguarding Internet Privacy: Supreme Court of Canada Upholds Protection of IP Addresses

In a recent ruling, the Supreme Court of Canada affirmed the significance of privacy rights concerning internet addresses. The court declared that police cannot simply obtain a suspect’s IP address without a court order, emphasizing the expectation of privacy that Canadian residents hold for such information. The court's decision stemmed from a case in 2017 involving Calgary police investigating fraudulent online activities at a liquor store. Initially, police demanded IP addresses from a credit card processor, which eventually led to obtaining subscriber information from Telus. This information was pivotal in making arrests and securing convictions in multiple offenses. Despite previous convictions, the accused contested the legality of obtaining IP addresses without proper authorization. The Supreme Court, in a 5-4 decision, asserted that IP addresses carry a reasonable expectation of privacy, necessitating judicial approval before access. The ruling emphasizes that obtaining jud

AT&T Resets Millions of Customer Passcodes After Data Leak: What You Need to Know

AT&T recently confirmed a significant data breach affecting over 7.6 million current customers and 65 million former customers. The leaked information, which dates back to 2019 or earlier, includes personal details like names, addresses, phone numbers, and social security numbers. Fortunately, financial information and call history were not compromised. In response to the breach, AT&T has reset passcodes for affected customers. Passcodes, usually four-digit numbers, serve as an additional layer of security when accessing accounts. However, security experts warn that the encrypted passcodes leaked alongside customer information could be easily deciphered, posing a risk of unauthorized account access. Affected customers are advised to set up free fraud alerts with major credit bureaus and remain vigilant for any suspicious activity related to their accounts. AT&T is proactively reaching out to impacted customers via email or letter to inform them about the breach and the meas