News

Researchers in the field of cybersecurity have come across a fresh batch of malicious packages on the npm package registry. These packages are specifically designed to obtain sensitive information from developers. Phylum, a software supply chain firm, was the first to identify these packages on July 31, 2023. Shortly after their discovery, they were removed and re-uploaded under different names that sounded legitimate.

The exact purpose of this campaign remains unclear, but it is suspected to be a highly targeted operation aimed at the cryptocurrency sector. References to modules with names such as “rocketrefer” and “binarium” support this theory.

All the packages were published by an npm user known as malikrukd4732. The main feature shared by all these modules is their ability to launch JavaScript (“index.js”) that can extract valuable information and send it to a remote server.

The process involves executing the “index.js” code in a child process initiated by the “preinstall.js” file. This action is triggered by the postinstall hook defined in the package.json file, which is executed during package installation.

The first step in the extraction process involves collecting the current operating system username and the current working directory. This information is then sent via a GET request to 185.62.57[.]60:8000/http. The motive behind this action is currently unknown, but it is believed that the information could be used to trigger unseen server-side activities.

Next, the script searches for files and directories that match a specific set of extensions, including .env, .svn, .gitlab, and many others. The collected data, which may include credentials and valuable intellectual property, is eventually transmitted to the server in the form of a ZIP archive file.

Phylum suggests that while these directories can contain sensitive information, they are likely to consist mostly of standard application files that are not unique to the victim’s system. Therefore, they are less valuable to the attacker. The motive appears to be centered around extracting source code or environment-specific configuration files.

This discovery is another instance of open-source repositories being exploited to spread malicious code. Another campaign identified by ReversingLabs involved suspicious python packages on PyPI, such as VMConnect, which attempted to download a Base64-encoded string with additional commands from a command-and-control server.

In early July 2023, ReversingLabs exposed a batch of 13 rogue npm modules that were downloaded around 1,000 times as part of an operation known as Operation Brainleeches. These modules were used to facilitate credential harvesting through bogus Microsoft 365 login forms launched from JavaScript email attachments.

These findings highlight the vulnerability of open-source repositories and their potential for enabling email phishing attacks and supply chain attacks. Developers unknowingly incorporate fraudulent npm packages into their applications, which then contain credential harvesting scripts. These libraries were posted on npm between May 11 and June 13, 2023.

It is worth noting that even legitimate services like the jsDelivr CDN can be abused for malicious purposes.

The post New Malicious Packages Discovered on npm Package Registry appeared first on satProviders.