Cybersecurity researchers have discovered three malicious packages in the NPM registry. It pretends to be a popular telegram bot library, but has SSH backdoors and data removal capabilities.
The package in question is listed below –
According to supply chain security company Socket, the package is designed to mimic the Node-Telegram-Bot-API, the popular Node.js Telegram Bot API with over 100,000 downloads per week. Three libraries are still available for download.
“The numbers may sound modest, but they only need one compromised environment to pave the way for widespread penetration or unauthorized access to data,” said security researcher Kush Pandya.
“Supply chain security incidents have repeatedly shown that even a handful of installations can have catastrophic effects, especially if an attacker has direct access to a developer system or production server.”
The Rogue package not only reproduces legitimate library descriptions, but also utilizes a technique called Starjacking to increase reliability and trick and download unsuspecting developers.
Starjacking refers to an approach in which open source packages are created to become more popular by linking GitHub repositories associated with legitimate libraries. This typically takes advantage of non-existent validation of the relationship between the package and the GitHub repository.
Socket analysis shows that the package is designed to work explicitly on Linux systems, and adds two SSH keys to the “~/.ssh/Authorized_keys” file, giving the attacker permanent remote access to the host.
The script is designed to contact “ipinfo” to collect the system username and external IP address[.]io/ip. “It also issues a beacon to an external server (” solana.validator[.]Blog “) Confirm infection.
The inserted SSH key gives free remote access to threat access for subsequent code execution and data stripping, so making the package despicable is not to completely eliminate the threat.
This disclosure comes when the socket details another malicious package named @naderabdi/merchant-advcash. It is designed to launch a reverse shell on a remote server, disguised as a Volet (formerly Advcash) integration.
“The package @naderabdi/merchant-advcash contains hardcoded logic that opens a reverse shell to a remote server upon invoking a payment successful handler,” the company said. “It’s disguised as a utility for merchants to receive, verify and manage cryptocurrency or Fiat payments.”
“Unlike many malicious packages that run code during installation or import, this payload is delayed until runtime, especially after successful transactions. This approach helps to avoid detection as malicious code only runs under certain runtime conditions.”
Source link
