SafeDep-tracked npm operation by the account conodeeth ([email protected]). Ships package pairs: a byte-for-byte clone of a popular library acts as an innocuous carrier and injects one malicious runtime dependency that is a repackaged legitimate library hosting a runtime-call-triggered RCE backdoor (no install hook, inert on require). Two pairs known: nodemon-sudo/tslint-conf re-shipped hours after npm took down the first pair nodemon-node/ts-await, reusing the same Pinata IPFS CID and jsonkeeper dead-drop. LOW/tentative resemblance to the DPRK-linked (Contagious Interview/BeaverTail) jsonkeeper+IPFS npm cluster — technique/infrastructure family only, NOT hard-indicator attribution; could be that cluster or a copycat.
Objective
Remote code execution and (suspected) credential/browser-database theft on developer and server machines running applications that wire in the fake logger.
Packages
Indicators
- sha256 aa9b9847e4ffd894a19ec9712848651882b0195de5f4953eef9b47791adddabfindicates
- email [email protected]indicates
- url https://jsonkeeper.com/b/XRGF3communicates-with
- domain jsonkeeper.comcommunicates-with
- domain peach-eligible-penguin-917.mypinata.cloudcommunicates-with
- url https://peach-eligible-penguin-917.mypinata.cloud/ipfs/bafkreigjnxn5vnn34rc5r43ajwwkmk4akqpm4awmq5gdhakgszpeqiffsucommunicates-with
- url https://jsonkeeper.com/b/4NAKKindicates
- sha256 d4b7add83e5c716b5e52082f713d71ec9d7bfd93e358d500d77c2393302dd004indicates
- sha256 2956b023858d706a5e241cd28b845088e5f414c5f70bd5d8cb73cb427d081065indicates
- sha256 541c35bd90653c9d7f93cdadb7f52c281d7a1375ffc9c0e118cf1d9df977dea7indicates
- sha256 d10853dde92fdc48d8cb5505d89e0030fd35e1416a16a820fe5ec4aceef01c4findicates
- email [email protected]indicates
- domain jsonspack.comindicates
Techniques
- ttp T1195.002 Compromise Software Supply Chainuses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttp T1027 Obfuscated Files or Informationuses
- ttp T1140 Deobfuscate/Decode Files or Informationuses
- ttp T1102 Web Serviceuses
- ttp T1105 Ingress Tool Transferuses
- ttp T1622 Debugger Evasionuses