Article Details

Dozens of malicious packages on NPM collect host and network data. 60 packages have been discovered in the NPM index that attempt to collect sensitive host and network data and send it to a Discord webhook controlled by the threat actor. According to Socket’s Threat Research team, the packages were uploaded to the NPM repository starting May 12 from three publisher accounts. Each of the malicious packages contains a post-install script that automatically executes during ‘npm install’ and collects the following information: The script checks for hostnames related to cloud providers, reverse DNS strings, in an attempt to determine if it is running in an analysis environment. Socket did not observe the delivery of second-stage payloads, privilege escalation, or any persistent mechanisms. However, given the type of data collected, the danger of targeted network attacks is significant. Packages still available on NPM The researchers reported the malicious packages but at the time of writing they were still available on NPM and showed a cumulative download count of 3,000. By publishing time, though, none of them were present in the repository. To trick developers into using them, the threat actor behind the campaign used names similar to legitimate packages in the index, like ‘flipper-plugins,’ ‘react-xterm2,’ and ‘hermes-inspector-msggen,’ generic trust-evoking names, and others that hint at testing, possibly targeting CI/CD pipelines. The complete list of the 60 malicious packages is available at the bottom section of Socket’s report. If you have installed any of them, it is recommended to remove them immediately and perform a full system scan to eradicate any infection remnants. Data wipers on NPM Another malicios campaign that Socket uncovered yesterday on NPM involved eight malicious packages that mimic legitimate tools through typosquatting but can delete files, corrupt data, and shut down systems. The packages, which targeted the React, Vue.js, Vite, Node.js, and Quill ecosystems, existed on NPM for the past two years, getting 6,200 downloads. Evading this long was partly due to the payloads being activated based on hardcoded system dates and were structured to progressively destroy framework files, corrupt core JavaScript methods, and sabotage browser storage mechanisms. The threat actor behind this campaign, who published them under the name ‘xuxingfeng’, has also listed several legitimate packages to build trust and evade detection. Although the danger has passed now based on the hardcoded dates, removing the packages is crucially important as their author could introduce updates that will re-trigger their wiping functions in the future. Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.