- The socket found 60 malicious NPM packages
- FALSIFIED FALLWARE PACKAGES
- I was able to exfiltrate confidential data
Socket cybersecurity researchers have warned of multiple malicious packages housed in NPM, stealing data from confidential users and transmitting them to the attackers.
In a blog post, Socket said he identified 60 packages in NPM, which were loaded since May 12 onwards, using three separate accounts. The packages contained a subsequent script to the installation that is executed during the ‘NPM Installation’ and exfiltrates the host names, internal IP addresses, user starting directories, current work directories, user names and system DNS servers of the system.
The script also verifies the host names related to the cloud suppliers and the Inverse DNS chains, to ensure that it is not running in a sand box.
While it is theoretically possible, Socket said that the packages did not deliver additional malware or intensified privileges. In addition, persistence mechanisms were not detected.
A new turn in old tricks
Apparently, this was a typical attack to write a guy
The names of the packages were similar to others, legitimate, such as “Flipper-Plugins”, “React-Xterm2” or “Hermes-inspector-msggen”. According to the names, the researchers assumed that the attackers pointed to the CI/CD pipes.
Before being taken from the repository, the packages were downloaded approximately 3,000 times.
The complete list of the 60 malicious packages can be found in this link. Those who have downloaded some of these who immediately eliminate them are recommended and then execute a complete system scan. They must also rotate key credentials and activate 2FA when possible.
Socket discovered a separate campaign, also in NPM, and also used the typographic technique. However, this distributes eight malicious packages that can delete files, corrupt data and complete brick systems. They have been present in NPM for approximately two years, it was said, and during this time, they managed to accumulate 6,200 downloads.
Platforms such as NPM or PyPI are constantly attacked by cybercriminals who use it to try to compromise software developers who work on open source projects.
Through Bleepingcomputer
