Stealthy npm Malware Exposes Developer Data

Written by

A stealthy malware has been discovered on npm, the popular package manager for JavaScript, that poses a severe threat by exposing sensitive developer data.

The findings come from cybersecurity firm Phylum, who said that on July 31 2023, their automated risk detection platform raised an alert regarding suspicious activities on npm.

Over the course of a few hours, ten seemingly innocuous “test” packages were published. On closer inspection, Phylum’s researchers discovered that these packages were part of a sophisticated and targeted malware attack aimed at exfiltrating sensitive developer source code and confidential information.

The attack demonstrated a carefully crafted development cycle, with the attacker refining the malware’s functionality through several iterations. The final “production” packages were disguised with legitimate-sounding names, potentially tricking victims into installing them unwittingly.

Sign up to the Infosecurity Magazine newsletter here. 

Upon analyzing the attack code, Phylum uncovered that it utilized a combination of post-install hooks and pre-install scripts to trigger the execution of malicious code once the packages were installed. This code was designed to perform several actions.

First, the malware gathered the machine’s operating system (OS) username and current working directory and sent this information as URL query parameters in an HTTP GET request to a remote server.

Next, the malware scanned the victim’s directories for files with specific extensions or located in specific directories known to contain sensitive information, such as credentials or configuration files.

Once the target files and directories were identified, the malware created ZIP archives, excluding certain standard application directories to avoid unnecessary bulk. Finally, the malware attempted to upload the compressed archives to an FTP server.

In an advisory published on Thursday, Phylum’s experts noted that the attack’s primary targets appeared to be developers involved in the cryptocurrency sphere.

The document also contains additional information about the attack, including the source code of the malware and more details about the attack chain.

Its publication comes hours after ReversingLabs discovered new malicious packages on the PyPI repository.

Read more on typosquatting: Malicious Npm Package Uses Typosquatting, Downloads Malware

What’s hot on Infosecurity Magazine?