A new set of 48 malicious npm packages have been discovered in the npm repository with capabilities to deploy a reverse shell on compromised systems.
"These packages, deceptively named to appear legitimate, contained obfuscated JavaScript designed to initiate a reverse shell on package install," software supply chain security firm Phylum said.
All the counterfeit packages have been published by an npm user named hktalent (GitHub, X). As of writing, 39 of the packages uploaded by the author are still available for download.
The attack chain is triggered post the installation of the package via an install hook in the package.json that calls a JavaScript code to establish a reverse shell to rsh.51pwn[.]com.
"In this particular case, the attacker published dozens of benign-sounding packages with several layers of obfuscation and deceptive tactics in an attempt to ultimately deploy a reverse shell on any machine that simply installs one of these packages," Phylum said.
The findings arrive close on the heels of revelations that two packages published to the Python Package Index (PyPI) under the garb of simplifying internationalization incorporated malicious code designed to siphon sensitive Telegram Desktop application data and system information.
The packages, named localization-utils and locute, were found to retrieve the final payload from a dynamically generated Pastebin URL and exfiltrate the information to an actor-controlled Telegram channel.
The development highlights the increasing interest of threat actors in open-source environments, which allows them to set up impactful supply chain attacks that can target several downstream customers all at once.
"These packages show a dedicated and elaborate effort to avoid detection via static analysis and visual inspection by employing a variety of obfuscation techniques," Phylum said, adding they "serve as yet another stark reminder of the critical nature of dependency trust in our open-source ecosystems."
Update
Following the publication of the research, the author of the malicious npm packages claimed on X that "Supply chain security research and verification are over, withdraw everything, and continue on other paths."