Malicious npm packages

Developer information on the threat with malicious npm package

3 Mins Read

PUREVPNNewsDeveloper information on the threat with malicious npm package

Cybersecurity experts recently found a new set of malicious packages in the npm package registry designed to steal sensitive developer data. Software supply chain firm Phylum initially discovered these packages on July 31, 2023, and they were quickly removed and re-uploaded with different names to sound legitimate.

Source: npm package listed in the package.json file 

What might be the motive?

The motive behind the attack is not entirely clear, but it seems to target the cryptocurrency sector, with references to modules like “rocketrefer” and “binarium.” All packages were published by the npm user “malikrukd4732,” and they all have JavaScript (“index.js”) code that can extract valuable information to a remote server.

What’s the process?

During the process, the code 

  • collects operating system details 
  • sends them to a remote server
  • searches for specific file extensions like .env, .gitlab, .js, .py, and more, potentially containing valuable intellectual property or credentials
  • Transmits data to the server in the form of a ZIP archive file.

This incident is not isolated, as open-source repositories have been targeted before. 

https://twitter.com/attackify/status/1653665232563376130?s=20

Previous open-source repositories target

Another campaign was discovered using suspicious Python packages on PyPI, and attackers created corresponding repositories on GitHub to appear trustworthy to developers.

Source: The private-pypi server serves as an abstraction layer between Python package management tools (pip/poetry/twine) and the storage backends

In early July 2023, 13 rogue npm modules were also exposed in an operation known as “Operation Brainleeches,” where some packages facilitated credential harvesting through phishing attacks. The npm modules were used as supporting infrastructure for hosting files in email phishing and supply chain attacks against developers. According to ReversingLabs:

“The malicious npm packages were discovered in two tranches: One supported phishing attacks that harvested user data with phony Microsoft.com login forms launched from malicious email attachments. The other was intended to implant credential harvesting scripts in applications that inadvertently incorporate the npm packages.”

Source: Flow of the activity when the malicious attachment is opened in the web browser

It’s worth noting that even legitimate services like the jsDelivr CDN can be exploited for malicious purposes, demonstrating the importance of vigilance and security in open-source repositories.

Source: Target Open-Source repositories

Summing up

What does this mean? Well, with previous and current events, it is clear that open source repositories are the main targets. It is essential to assess the security, have third party packages audited, and work on various behavior indicators. These indicators from various platforms detect malicious codes being deployed, hence combat against more significant risks.

author

PureVPN

date

August 7, 2023

time

1 year ago

PureVPN is a leading VPN service provider that excels in providing easy solutions for online privacy and security. With 6000+ servers in 65+ countries, It helps consumers and businesses in keeping their online identity secured.

Have Your Say!!

Join 3 million+ users to embrace internet freedom

Signup for PureVPN to get complete online security and privacy with a hidden IP address and encrypted internet traffic.