Cybersecurity researchers have recently uncovered a new set of malicious packages within the npm package registry. These packages are specifically designed to extract Kubernetes configurations and SSH keys from compromised machines and send them to a remote server.
So far, Sonatype has identified 14 different npm packages involved in this activity. Some of these packages include @am-fe/hooks, @am-fe/provider, @am-fe/request, @am-fe/utils, @am-fe/watermark, @am-fe/watermark-core, @dynamic-form-components/mui, @dynamic-form-components/shineout, @expue/app, @fixedwidthtable/fixedwidthtable, @soc-fe/use, @spgy/eslint-plugin-spgy-fe, @virtualsearchtable/virtualsearchtable, and shineouts.
These packages attempt to masquerade as legitimate JavaScript libraries and components, such as ESLint plugins and TypeScript SDK tools. However, upon installation, multiple versions of the packages execute obfuscated code to collect and extract sensitive files from the compromised machine.
In addition to extracting Kubernetes configurations and SSH keys, these modules are capable of gathering system metadata, including usernames, IP addresses, and hostnames. The collected data is then transmitted to a domain named app.threatest[.]com.
This discovery follows Sonatype’s recent detection of counterfeit npm packages that exploited dependency confusion to impersonate internal packages used by PayPal Zettle and Airbnb developers. It appears that threat actors are continually targeting open-source registries like npm, PyPI, and RubyGems with various forms of malware, including cryptojackers and infostealers, in an attempt to compromise developer systems and compromise the software supply chain.
One example highlighted by Phylum involved an npm module called hardhat-gas-report, which remained benign for over eight months before receiving two consecutive updates in September 2023. The updates introduced malicious JavaScript code capable of exfiltrating Ethereum private keys copied to the clipboard and sending them to a remote server. Phylum noted that this targeted approach indicates a sophisticated understanding of cryptocurrency security and suggests an attempt to gain unauthorized access to Ethereum wallets or other secured digital assets.
Another instance involved a deceptive npm package named gcc-patch, which posed as a customized GCC compiler but actually contained a cryptocurrency miner. This miner covertly utilized the computational power of innocent developers to generate profits at their expense.
These malicious campaigns have expanded beyond the JavaScript (npm) ecosystem to include Python (PyPI) and Ruby (RubyGems). Threat actors are uploading packages with data collection and exfiltration capabilities and subsequently releasing new versions containing malicious payloads.
It is worth noting that this campaign specifically targets Apple macOS users, indicating that malware within open-source package repositories is not limited to Windows and is increasingly prevalent across different operating systems.
Phylum’s analysis suggests that the author of these packages is conducting a widespread campaign against software developers. However, the ultimate goal of this campaign remains unclear.
CyberSec84 | Cybersecurity news. 
Leave a comment