Cybersecurity researchers have discovered malicious npm packages that are exfiltrating sensitive data.
Cybersecurity researchers have recently detected a new group of malicious packages in the npm package registry that have been designed to extract sensitive developer information.
Phylum, a software supply chain firm, was the first to identify these "test" packages on July 31, 2023. Shortly after their discovery, the packages were removed and re-uploaded under different names that appeared legitimate. The motive behind this campaign remains unclear, but it is suspected to be targeted at the cryptocurrency sector due to references to modules like "rocketrefer" and "binarium."
All the packages were published by a user named malikrukd4732. Each module shares a common feature: the ability to execute JavaScript ("index.js") code, which can then exfiltrate valuable information to a remote server. This code is spawned in a child process by the "preinstall.js" file, which is executed upon package installation, initiating the execution of all the contained code.
The first step of the malicious code involves gathering the current operating system username and the current working directory. This information is then sent in a GET request to 185.62.57[.]60:8000/http. The exact purpose of this action is currently unknown, but it is believed that the data could be used to trigger "unseen server-side behaviors."
The script then proceeds to search for files and directories with specific extensions, such as .env, .svn, .gitlab, .hg, .idea, .yarn, .docker, .vagrant, .github, .asp, .js, .php, .aspx, .jspx, .jhtml, .py, .rb, .pl, .cfm, .cgi, .ssjs, .shtml, .env, .ini, .conf, .properties, .yml, and .cfg.
Once the data is harvested, including potentially sensitive credentials and intellectual property, it is transmitted to the server in the form of a ZIP archive file.
The attack highlights the exploitation of open-source repositories to distribute malicious code, with other examples, like a PyPI campaign, identified by ReversingLabs and Sonatype. In this campaign, suspicious Python packages such as VMConnect, quantiumbase, and ethter were used to contact a command-and-control (C2) server and attempt to download an unspecified Base64-encoded string with additional commands.
To deceive developers and appear trustworthy, the threat actors created corresponding repositories on GitHub with legitimate-looking descriptions, omitting the malicious behavior.
Previously, in early July 2023, ReversingLabs exposed a group of 13 rogue npm modules as part of a campaign called Operation Brainleeches. These modules were collectively downloaded about 1,000 times and facilitated credential harvesting via bogus Microsoft 365 login forms launched from JavaScript email attachments. The npm modules were used to host files for email phishing attacks and supply chain attacks against developers.
The fraudulent npm packages were posted between May 11 and June 13, 2023, and some were used to implant credential harvesting scripts into applications.
This activity highlights the abuse of legitimate services like jsDelivr, a content delivery network (CDN) for npm packages, for malicious purposes.