U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Malicious packages in the NPM designed for highly-targeted attacks

Researchers discovered a new set of malicious packages on the npm package manager that can exfiltrate sensitive developer data. On July 31, 2023, Phylum researchers observed the publication of ten different “test” packages on the npm package manager that were developed to exfiltrate sensitive developer source code and other confidential information. All of these packages […]

axios npm Package Contagious Interview campaign NPM

Researchers discovered a new set of malicious packages on the npm package manager that can exfiltrate sensitive developer data.

On July 31, 2023, Phylum researchers observed the publication of ten different “test” packages on the npm package manager that were developed to exfiltrate sensitive developer source code and other confidential information.

All of these packages were published by the same npm user, malikrukd4732, and contain three files.

The modules launch JavaScript (“index.js”) that includes the code to exfiltrate information to a remote server.

“The index.js code is spawned in a child process by the preinstall.js file. This action is prompted by the postinstall hook defined in the package.json file, which is executed upon package installation. Therefore, the mere act of installing this package initiates the execution of all this code.” reads the advisory published by Phylum.

The index.js gathers the current OS username and the current working directory, then it searches through directories on the system looking for files with specific extensions or in specific directories. The script creates ZIP archives of the directories it finds and finally, it attempts to upload them to an FTP server with IP address 185[.]62[.]57[.]60 using the username root and password TestX@!#33.

The files and directories targeted by the malicious code could potentially contain developers sensitive data, such as credentials for numerous applications and services. 

The researchers speculate the packages are part of a highly-targeted attack on developers working in the cryptocurrency sector.

“This seems to be another highly-targeted attack on developers involved in the cryptocurrency sphere. As of now, we’re uncertain about what @rocketrefer pertains to, but it could potentially be linked to CryptoRocket. According to its website’s meta description, CryptoRocket is a “bitcoin forex broker offering unrivalled[sic] trading conditions such as ultra-tight spreads and straight through processing.” Meanwhile, Binarium appears to be an options broker that provides access to a wide range of financial markets, including forex and cryptocurrency.” concludes the report. “Regardless this serves as yet another stark reminder of how important it is to trust your dependencies.”

It’s not uncommon to find malicious packages on NPM, in May ReversingLabs discovered two malicious packages, respectively named nodejs-encrypt-agent and nodejs-cookie-proxy-agent, in the npm package repository containing an open-source info-stealer called TurkoRat.

Organizations should pay attention to the packages that were used by their development teams paying attention to anomalies such as typos or strange version numbers.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, NPM)