Infiltration of Malicious npm Packages: Developers’ Sensitive Data at Risk

Cybersecurity researchers recently found a new set of malicious packages in the npm package registry aimed at exfiltrating sensitive developer information. Discovered by software supply chain firm Phylum on July 31, 2023, these “test” packages demonstrated increasing sophistication and were quickly re-uploaded with different names after removal.

The motive behind this campaign remains unclear, but it appears to be targeted at the cryptocurrency sector, as indicated by module references like “rocketrefer” and “binarium.”

All packages were published by the npm user malikrukd4732, and each contained JavaScript (“index.js”) capable of exfiltrating data to a remote server. The code execution begins upon package installation through the postinstall hook in package.json.

The process involves gathering the current operating system username and working directory, followed by sending a GET request with the data to 185.62.57[.]60:8000/http. The exact purpose of this action is unknown, but it may trigger “unseen server-side behaviors.”

The script then scans for files and directories with specific extensions like .env, .svn, .gitlab, .hg, .idea, .yarn, .docker, .vagrant, .github, .asp, .js, .php, .aspx, .jspx, .jhtml, .py, .rb, .pl, .cfm, .cgi, .ssjs, .shtml, .env, .ini, .conf, .properties, .yml, and .cfg.

The collected data, potentially containing credentials and valuable intellectual property, is transmitted to the server as a ZIP archive file.

Phylum explains that while these directories may have sensitive information, they are more likely to contain standard application files, making them less valuable to the attacker, whose focus appears to be on extracting source code or environment-specific configuration files.

This incident is a recent example of malicious code propagation via open-source repositories. ReversingLabs and Sonatype identified a PyPI campaign employing suspicious python packages like VMConnect, quantiumbase, and ethter to communicate with a command-and-control (C2) server and attempt to download an unspecified Base64-encoded string with additional commands.

Security researcher Karlo Zanki suggests that the C2 server may upload commands only after an infected machine becomes interesting to the threat actor. Alternatively, the C2 server could use request filtering based on the infected machine’s IP address to avoid infecting specific countries.

The threat actors created corresponding repositories on GitHub with legitimate descriptions to deceive developers and make the Python packages appear trustworthy, concealing their malicious intent.

Earlier in July 2023, ReversingLabs exposed 13 rogue npm modules in a campaign called Operation Brainleeches. Some packages facilitated credential harvesting, launching fake Microsoft 365 login forms from JavaScript email attachments. The JavaScript file fetched next-stage payloads from jsDelivr, a content delivery network for npm-hosted packages. These npm modules served as an infrastructure supporting email phishing attacks and supply chain attacks targeting developers.

The latter involves implanting credential harvesting scripts into applications unknowingly incorporating fraudulent npm packages. The libraries were posted to npm between May 11 and June 13, 2023.

Check Point reported on the same campaign, emphasizing the potential abuse of legit services like jsDelivr CDN for malicious purposes.