Identification of Numerous Malicious Packages on NPM Engaging in Host and Network Data Collection
. This script is capable of gathering the following information:</p>
<ul>
<li>Hostname</li>
<li>Internal IP address</li>
<li>User home directory</li>
<li>Current working directory</li>
<li>Username</li>
<li>System DNS servers</li>
</ul>
<p>The script actively probes for hostnames linked to cloud service providers and attempts to identify reverse DNS strings, ostensibly to discern whether it is operating within a secure analysis environment.</p>
<p>Although the Socket team did not observe the deployment of second-stage payloads or privilege escalation mechanisms, the nature of the information gathered poses a significant risk for targeted network attacks.</p>
<h2>Malicious Packages Still Present on NPM</h2>
<p>Despite reporting the findings, as of the time of writing, these malicious packages remained accessible on the NPM repository with a total download count of approximately 3,000. However, subsequent to the publishing of this article, they have been removed from the repository.</p>
<p>In a bid to deceive developers into utilizing their packages, the threat actors employed package names that closely resemble legitimate ones available in the index, such as ‘flipper-plugins,’ ‘react-xterm2,’ and ‘hermes-inspector-msggen.’ These names were crafted to evoke a sense of trust, with some hinting at testing purposes, which may target Continuous Integration/Continuous Deployment (CI/CD) pipelines.</p>
<p>A comprehensive list of the 60 malicious packages is available through Socket’s detailed report.</p>
<p>For any developers who may have inadvertently installed these packages, it is crucial to remove them immediately and conduct a thorough system scan to eliminate any traces of infection.</p>
<h2>Data Wipers on NPM</h2>
<p>In a separate malware campaign identified by Socket, eight malicious packages mimicking legitimate tools through typosquatting have been discovered. These packages possess the capability to delete files, corrupt data, and cause system failures.</p>
<p>Targeting ecosystems including React, Vue.js, Vite, Node.js, and Quill, these malicious packages have existed on the NPM platform for the past two years, accumulating around 6,200 downloads.</p>
<p>Their longevity can be attributed to the activation of their malicious payloads based on hardcoded system dates, and they were designed to systematically delete framework files, corrupt core JavaScript methods, and sabotage browser storage systems.</p>
<div style=)
Source: Socket
The threat actor responsible for this campaign, operating under the pseudonym ‘xuxingfeng’, also published several legitimate packages to enhance the credibility of their account and evade detection.
While the immediate threat may have diminished due to the reliance on hardcoded dates, it remains imperative to uninstall these packages. The author could potentially issue updates that re-initiate destructive payloads in the future.
Attacks targeting revenue cycle management (RCM) and debt collection firms present significant risks, as these breaches can yield extensive personal…
Google has announced the rollout of Veo 3, an advanced video generation tool now available to all users of Vertex…
Thousands of personal records linked to athletes and attendees of the Saudi Games have been compromised due to a cyber-attack…
The UK government’s flagship cyber-resilience initiative has reached a significant milestone, with quarterly certifications for the Cyber Essentials scheme surpassing…
The Canadian Centre for Cyber Security and the U.S. Federal Bureau of Investigation (FBI) have issued an advisory regarding cyber…
OpenAI is set to release an update for ChatGPT that will activate the new o3 Pro model, which boasts enhanced…
Recent discoveries have identified two critical vulnerabilities in the open-source forum software vBulletin, one of which is confirmed to be…
Google continues to push the boundaries of artificial intelligence with the anticipated introduction of a new model, referred to as…