Cybersecurity researchers have discovered a new set of malicious packages on the npm package registry that are designed to extract sensitive developer information.
Software supply chain firm Phylum, which first identified the “test” packages on July 31, 2023, said they “demonstrated increasing functionality and refinement,” hours after which they were removed and re-uploaded under different, legitimate-sounding package names.
Although the ultimate goal of the venture is unclear, it is suspected to be a highly targeted campaign towards the cryptocurrency sector, based on references to modules such as “RocketRefer” and “Binarium”.
All packages were published by npm user malikrukd4732. A common feature in all modules is the ability to launch JavaScript (“index.js”) which is equipped to extract valuable information on a remote server.
The Phylum research team said, “The index.js code is generated in a child process by the preinstall.js file.” “This action is triggered by a postinstall hook defined in the package.json file, which is executed on package installation.”
The first step involves gathering the current operating system username and current working directory, after which a GET request is sent to 185.62.57[.]60:8000/http with the gathered data. The exact motivation behind this action is currently unknown, although it is believed that the information could be used to trigger “unexpected server-side behavior”.
Next, the script proceeds to search for files and directories matching a specific set of extensions: .env, .svn, .gitlab, .hg, .idea, .yarn, .docker, .vagrant, .github, . asp, .js, .php, .aspx, .jspx, .jhtml, .py, .rb, .pl, .cfm, .cgi, .ssjs, .shtml, .env, .ini, .conf, .properties, .yml, and .cfg.
The collected data, which may also include credentials and valuable intellectual property, is finally transmitted to the server as a zip archive file.
“While these directories may contain sensitive information, it is more likely that they contain a lot of standard application files that are not unique to the victim’s system and therefore less valuable to an attacker whose purpose is to extract source code or environments.” ” It appears to be centered around specific configuration files,” Phylum said.
The development is the latest example of open-source repositories being used to proliferate malicious code ReversingLabs and Sonatype have identified a PEPI campaign that uses command-mining commands to contact suspicious Python packages such as VMConnect, QuantumBase, and Ether uses End-Control (C2), Attempted to download an unspecified base64-encoded string with server and additional commands.
Security researcher karlo Zanki explained, “Since command fetching is performed in an endless loop, it is possible that the operator of the C2 server uploads commands only after the infected machine is of interest to the threat actor.”
“Alternatively, the C2 server may perform some form of request filtering. For example, attackers may filter requests based on the IP address of the infected machine to avoid infecting targets from specific countries.”
In early July 2023, ReversingLabs also exposed a batch of 13 rogue NPM modules that were collectively downloaded nearly 1,000 times as part of a novel campaign called Operation BrainLeeches
What makes the activity stand out is its use of some of the packages to facilitate credential harvesting via bogus Microsoft 365 login forms launched from a JavaScript email attachment, a JavaScript file that fetches the next-stage payloads from jsDelivr, a content delivery network (CDN) for packages hosted on npm.
In other words, published NPM modules serve as a supporting infrastructure for hosting files used in email phishing attacks, as well as for carrying out supply chain attacks directed against developers.
The latter is accomplished by implanting credential harvesting scripts in applications that unknowingly include fraudulent npm packages. The libraries were posted to npm between May 11 and June 13, 2023.
“One of the key advantages of jsDelivr is direct file linking: instead of using npm to install a package and reference it locally, you can link directly to a file hosted on jsDelivr’s CDN,” Check Point, which also reported on the same campaign, said. “But… even legitimate services like the jsDelivr CDN can be misused for malicious purposes.”