Malicious npm Packages

12187383682?profile=RESIZE_400xCybersecurity researchers have discovered new malicious packages on the npm package registry that are designed to exfiltrate sensitive developer information.  The npm registry is a public database of JavaScript packages that developers use to contribute packages to the community or download packages for their own projects.  The default npm public registry is found at https://registry.npmjs.org. npm is configured to use this registry by default, but it can be configured to use any compatible registry or even run your own registry.  The npm public registry is powered by a CouchDB database, and the code for the couchapp is available at https://github.com/npm/npm-registry-couchapp. GitHub Packages is another registry that stores npm packages within your organization or personal account.[1]

Software supply chain firm Phylum, which first identified the "test" packages on 31 July 2023, said they "demonstrated increasing functionality and refinement," hours after which they were removed and re-uploaded under different, legitimate-sounding package names.  While the end goal of the undertaking is not clear, it's suspected to be a highly targeted campaign aimed at the cryptocurrency sector based on references to modules such as "rocketrefer" and "binarium."

All the packages were published by the npm user malikrukd4732.  A common feature across all the modules is the ability to launch JavaScript ("index.js") that's equipped to exfiltrate valuable information to a remote server.  The index.js code is spawned in a child process by the preinstall.js file.  This action is prompted by the postinstall hook defined in the package.json file, which is executed upon package installation. Therefore, the mere act of installing this package initiates the execution of all this code.

The first step entails gathering the current operating system username and the current working directory, following which a GET request with the collected data is sent to 185.62.57[.]60:8000/http.  The exact motivation behind this action is currently unknown, although it's believed that the information could be used to trigger "unseen server-side behaviors."

Subsequently, the script proceeds to look for files and directories matching a specific set of extensions: .env, .svn, .gitlab, .hg, .idea, .yarn, .docker, .vagrant, .github, .asp, .js, .php, .aspx, .jspx, .jhtml, .py, .rb, .pl, .cfm, .cgi, .ssjs, .shtml, .env, .ini, .conf, .properties, .yml, and .cfg.  The harvested data, which could also contain credentials and valuable intellectual property, is ultimately transmitted to the server in the form of a ZIP archive file.

While these directories can have sensitive information, it is more likely they contain a lot of standard application files which are not unique to the victim's system and hence less valuable to the attacker, whose motive appears to be centered to extraction of source code or environment-specific configuration files.

The development is the latest example of open-source repositories being used to propagate malicious code, what with ReversingLabs and Sonatype identifying a PyPI campaign that employs suspicious python packages such as VMConnect, quantiumbase, and ethter to contact a command-and-control (C2) server and attempt to download an unspecified Base64-encoded string with additional commands.  Since the command fetching is performed in an endless loop, it is possible that the operator of the C2 server uploads commands only after the infected machine is determined to be interesting to the threat actor.  Alternatively, the C2 server could be performing some type of request filtering.  For example, attackers may filter requests based on the IP address of the infected machine to avoid infecting targets from specific countries.

The threat actors created corresponding repositories on GitHub, complete with legitimate looking descriptions, to make the Python packages appear trustworthy, although the malicious behavior was omitted a sign that the attack was a deliberate effort to deceive developers.

In early July 2023, ReversingLabs also exposed a batch of 13 rogue npm modules that were collectively downloaded around 1,000 times as part of a novel campaign dubbed Operation Brainleeches.  What makes the activity stand out is its use of some of the packages to facilitate credential harvesting via bogus Microsoft 365 login forms launched from an email attachment, a JavaScript file that fetches the next-stage payloads from jsDelivr, a content delivery network (CDN) for packages hosted on npm.  The published npm modules act as a supporting infrastructure for hosting files used in email phishing attacks as well as carry out supply chain attacks directed against developers.

This is accomplished by implanting credential harvesting scripts in applications that inadvertently incorporate the fraudulent npm packages.  The libraries were posted to npm between May 11 and June 13, 2023.

One of the key benefits of jsDelivr is the direct file links: Instead of using npm to install the package and reference it locally, you can directly link to the file hosted on jsDelivr's CDN, but [...] even legit services such as the jsDelivr CDN can be abused for malicious purposes.

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com

Weekly Cyber Intelligence Briefings:

Reporting:    https://www.redskyalliance.org/
Website:       https://www.redskyalliance.com/
LinkedIn:      https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5993554863383553632  

[1] https://thehackernews.com/2023/08/malicious-npm-packages-found.html

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!