Malicious npm

Cybersecurity researchers have discovered a new bunch of malicious packages on the npm package registry that are designed to exfiltrate sensitive developer information.

Software supply chain firm Phylum, which first identified the "test" packages on July 31, 2023, said they "demonstrated increasing functionality and refinement," hours after which they were removed and re-uploaded under different, legitimate-sounding package names.

While the end goal of the undertaking is not clear, it's suspected to be a highly targeted campaign aimed at the cryptocurrency sector based on references to modules such as "rocketrefer" and "binarium."

All the packages were published by the npm user malikrukd4732. A common feature across all the modules is the ability to launch JavaScript ("index.js") that's equipped to exfiltrate valuable information to a remote server.

"The index.js code is spawned in a child process by the preinstall.js file," the Phylum researcher team said. "This action is prompted by the postinstall hook defined in the package.json file, which is executed upon package installation. Therefore, the mere act of installing this package initiates the execution of all this code."

The first step entails gathering the current operating system username and the current working directory, following which a GET request with the collected data is sent to 185.62.57[.]60:8000/http. The exact motivation behind this action is currently unknown, although it's believed that the information could be used to trigger "unseen server-side behaviors."

Cybersecurity

Subsequently, the script proceeds to look for files and directories matching a specific set of extensions: .env, .svn, .gitlab, .hg, .idea, .yarn, .docker, .vagrant, .github, .asp, .js, .php, .aspx, .jspx, .jhtml, .py, .rb, .pl, .cfm, .cgi, .ssjs, .shtml, .env, .ini, .conf, .properties, .yml, and .cfg.

The harvested data, which could also contain credentials and valuable intellectual property, is ultimately transmitted to the server in the form of a ZIP archive file.

"While these directories can have sensitive information, it's more likely they contain a lot of standard application files which are not unique to the victim's system and hence less valuable to the attacker, whose motive appears to be centered around extraction of source code or environment-specific configuration files," Phylum said.

The development is the latest example of open-source repositories being used to propagate malicious code, what with ReversingLabs and Sonatype identifying a PyPI campaign that employs suspicious python packages such as VMConnect, quantiumbase, and ethter to contact a command-and-control (C2) server and attempt to download an unspecified Base64-encoded string with additional commands.

"Since the command fetching is performed in an endless loop, it is possible that the operator of the C2 server uploads commands only after the infected machine is determined to be interesting to the threat actor," security researcher Karlo Zanki explained.

"Alternatively, the C2 server could be performing some type of request filtering. For example, attackers may filter requests based on the IP address of the infected machine to avoid infecting targets from specific countries."

Cybersecurity
What's more, the threat actors created corresponding repositories on GitHub, complete with legitimate-looking descriptions, to make the Python packages appear trustworthy, although the malicious behavior was omitted -- a sign that the attack was a deliberate effort to deceive developers.

In early July 2023, ReversingLabs also exposed a batch of 13 rogue npm modules that were collectively downloaded around 1,000 times as part of a novel campaign dubbed Operation Brainleeches.

What makes the activity stand out is its use of some of the packages to facilitate credential harvesting via bogus Microsoft 365 login forms launched from an email attachment, a JavaScript file that fetches the next-stage payloads from jsDelivr, a content delivery network (CDN) for packages hosted on npm.

In other words, the published npm modules act as a supporting infrastructure for hosting files used in email phishing attacks as well as carry out supply chain attacks directed against developers.

The latter is accomplished by implanting credential harvesting scripts in applications that inadvertently incorporate the fraudulent npm packages. The libraries were posted to npm between May 11 and June 13, 2023.

"One of the key benefits of jsDelivr is the direct file links: Instead of using npm to install the package and reference it locally, you can directly link to the file hosted on jsDelivr's CDN," Check Point, which also reported on the same campaign, said. "But [...] even legit services such as the jsDelivr CDN can be abused for malicious purposes."


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.