Malicious npm Packages Used to Target GitHub Developer SSH Keys

Written by

Security researchers have uncovered two new malicious packages on the npm open source package manager that utilized GitHub to store stolen Base64-encrypted SSH keys taken from developer systems. 

These packages, identified earlier this month, have since been removed from npm. According to a ReversingLabs report published today, this discovery highlights an ongoing trend of cybercriminals exploiting open source package managers for malicious software supply chain campaigns.

More generally, the company suggested a 1300% increase in malicious packages found on open source package managers between 2020 and the end of 2023. These malicious packages range from low-threat protestware to more sophisticated campaigns delivering malware directly from open source packages.

The first package, named warbeast2000, is still under development, but exhibited malicious behavior in its latest version. Upon installation, it launched a post-install script that fetched and executed a JavaScript file. This script read the private SSH key from the id_rsa file in the /.ssh directory, uploading the Base64-encoded key to a GitHub repository controlled by the attacker. 

The second package, kodiak2k, had a similar modus operandi, with additional functionalities across its versions, including invoking the Mimikatz hacking tool and executing various scripts.

Read more on similar packages: FortiGuard Uncovers Deceptive Install Scripts in npm Packages

ReversingLabs warned that an alarming aspect of these attacks is their targeting of SSH keys, providing unauthorized access to GitHub repositories and potentially compromising proprietary code. 

Fortunately, the impact of this campaign was limited, with warbeast2000 downloaded around 400 times and kodiak2k about 950 times.

However, ReversingLabs expressed concern about the increasing dependence of malicious actors on open source software and development infrastructure, such as GitHub, for hosting components of malicious command-and-control (C2) infrastructure.

“With more and more open source malware available, GitHub is increasingly being used by malicious actors to support their campaigns. Often, these open source malware packages are feature rich and come with very detailed documentation allowing even low-skilled hackers (“script kiddies”) to deploy them,” reads the advisory.

“As malicious actors continue to develop new techniques for writing malware, developers as well as security researchers need to be on guard for new threats lurking in public repositories.”

To address these threats, the company recommended that developers conduct a security assessment before incorporating software or a library from package managers like npm or PyPI.

Image credit: Primakov /

What’s hot on Infosecurity Magazine?