Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label NPM. Show all posts
Software
2FA Cloud Service Code Cyber Security DNS NPM Software

NPM Developers Targeted: Fake Packages Secretly Collecting Personal Data

 



Security experts are warning people who use NPM — a platform where developers share code — to be careful after finding several fake software packages that secretly collect information from users' computers.

The cybersecurity company Socket found around 60 harmful packages uploaded to NPM starting mid-May. These were posted by three different accounts and looked like normal software, but once someone installed them, a hidden process ran automatically. This process collected private details such as the device name, internal IP address, the folder the user was working in, and even usernames and DNS settings. All of this was sent to attackers without the user knowing.

The script also checked whether it was running in a cloud service or a testing environment. This is likely how the attackers tried to avoid being caught by security tools.

Luckily, these packages didn’t install extra malware or try to take full control of users’ systems. There was no sign that they stayed active on the system after installation or tried to gain more access.

Still, these fake packages are dangerous. The attackers used a trick known as "typosquatting" — creating names that are nearly identical to real packages. For example, names like “react-xterm2” or “flipper-plugins” were designed to fool people who might type quickly and not notice the slight changes. The attackers appeared to be targeting software development pipelines used to build and test code automatically.

Before they were taken down, these fake packages were downloaded nearly 3,000 times.

In a separate discovery, Socket also found eight other harmful packages on NPM. These had been around for about two years and had been downloaded over 6,000 times. Unlike the first group, these could actually damage systems by deleting or corrupting data.

If you've used any unfamiliar packages recently, remove them immediately. Run a full security scan, change your passwords, and enable two-factor authentication wherever possible.

This incident shows how hackers are now using platforms like NPM to reach developers directly. It’s important to double-check any code you install, especially if it’s from a source you don’t fully recognize.


Read more »
Trojan
Aikido Attack Backdoor Cyber Security DevSecOps JavaScript NPM npmregistry obfuscatedcode Opensource randuseragent RAT Security Supplychain Trojan

Compromised npm Package 'rand-user-agent' Used to Spread Remote Access Trojan

 

A widely-used npm package, rand-user-agent, has fallen victim to a supply chain attack, where cybercriminals injected obfuscated code designed to install a Remote Access Trojan (RAT) on users’ systems.

Originally developed to generate randomized user-agent strings—helpful in web scraping, automation, and cybersecurity research—the package was deprecated but remained in use, logging approximately 45,000 downloads per week.

Security experts at Aikido uncovered the compromise on May 5, 2025, when their malware detection tools flagged version 1.0.110 of rand-user-agent. A deeper investigation revealed hidden malicious code in the dist/index.js file. This code was deliberately obscured and only viewable with horizontal scrolling on the npm website.

Researchers confirmed that the last legitimate release was version 2.0.82, uploaded seven months ago. The malicious code appeared in unauthorized versions 2.0.83, 2.0.84, and 1.0.110, none of which corresponded with updates on the project's GitHub repository—an indicator of foul play.

Once installed, the malicious versions create a hidden directory in the user’s home path (~/.node_modules) and modify the module loading path to prioritize this directory. They then load specific dependencies such as axios and socket.io-client, and establish a persistent connection to the attacker’s command and control (C2) server at http://85.239.62[.]36:3306.

Through this connection, the attacker retrieves critical system data—such as hostname, OS type, username, and a generated UUID. Once activated, the RAT listens for the following commands:
  • cd <path>: Change directory
  • ss_dir: Reset directory to script path
  • ss_fcd:<path>: Force change to a new directory
  • ss_upf:f,d: Upload single file
  • ss_upd:d,dest: Upload all files in a directory
  • ss_stop: Stop ongoing upload
  • Any other input is executed via child_process.exec()

Currently, the malicious versions have been removed from the npm repository. Developers are urged to revert to the latest clean version. However, users who installed versions 2.0.83, 2.0.84, or 1.0.110 are advised to run a full malware scan, as downgrading the package does not eliminate the RAT.

For continued use, it’s recommended to switch to a forked and actively maintained alternative of rand-user-agent.

The original developer responded to BleepingComputer with the following statement:

“On 5 May 2025 (16:00 UTC) we were alerted that three unauthorized versions of rand-user-agent had been published to the npm registry (1.0.110, 2.0.83, 2.0.84). The malicious code was never present in our GitHub repository; it was introduced only in the npm artifacts, making this a classic supply-chain attack.

Our investigation (still ongoing) shows that the adversary obtained an outdated automation token from an employee and used it to publish releases to npm. That token had not been scoped with 2-factor authentication, allowing the attacker to: Publish versions that did not exist in GitHub, Increment the version numbers to appear legitimate, Deprecate nothing, hoping the new releases would propagate before anyone noticed.

There is no evidence of a breach in our source-code repository, build pipeline, or corporate network. The incident was limited to the npm registry.

We apologize to every developer and organization impacted by this incident. Protecting the open-source ecosystem is a responsibility we take seriously, and we are committed to full transparency as we close every gap that allowed this attack to occur.”
Read more »
Trojan
Cybersecurity Exploit malware backdoor NPM Reverse Shell Trojan

Malicious npm Packages Plant Persistent Reverse Shell Backdoors

 

Security researchers have uncovered two malicious npm packages that stealthily modify legitimate, locally installed libraries to embed a persistent reverse shell backdoor—even after the original malicious code is deleted.

The stealthy threat was identified by cybersecurity experts at Reversing Labs, who emphasized the potential risk despite the packages not seeing widespread downloads.

"It's not unusual to encounter downloaders on npm; they are maybe not as common as infostealers, but they are far from uncommon," explains Reversing Labs.

"However, this downloader is worth discussing because of the exceptional strategies employed by the attackers to hide the malicious payload it delivered."

The malicious packages—'ethers-provider2' and 'ethers-providerz'—were found during Reversing Labs’ routine inspections of the open-source supply chain.

The 'ethers-provider2' package, still available on npm at the time of reporting, is built off the popular 'ssh2' npm package. However, its install.js script is altered to fetch a second-stage payload from a remote server. Once executed, this payload is deleted to avoid detection.

It then looks for the legitimate 'ethers' package, and if present, replaces its provider-jsonrpc.js file with a trojanized version. This new file contacts a remote server to download a third-stage payload, effectively establishing a reverse shell using a tampered SSH client that imitates the real SSH2 module.

The alarming part? Uninstalling the original malicious package does not remove the infected ethers package, leaving the backdoor in place.

Similarly, 'ethers-providerz' mirrors this behavior but targets the @ethersproject/providers package. Its goal, based on code analysis, is the same: to patch the library and create a reverse shell pointing to the malicious IP (5[.]199[.]166[.]1:31337).

Earlier versions of this package had path errors, making them ineffective, but the author has since removed it from npm, potentially to re-upload a corrected version later.

Researchers also flagged two additional packages, 'reproduction-hardhat' and '@theoretical123/providers', as likely part of the same coordinated attack.

To help developers detect such threats, Reversing Labs has released a YARA rule targeting the known malware associated with this campaign. They strongly advise developers to regularly scan their environments and inspect packages for suspicious activity.

As a general rule, it’s critical to verify package integrity and authorship when downloading from platforms like npm or PyPI, and to watch for red flags such as obfuscated code or connections to external servers.
Read more »
Vulnerabilities and Exploits
Account security Account Takeover BreachForums Dark Web Data Safety GitHub NPM Vulnerabilities and Exploits

Critical npm Account Takeover Vulnerability Sold on Dark Web

 

A cybercriminal known as Alderson1337 has emerged on BreachForums, offering a critical exploit targeting npm accounts. This vulnerability poses a significant threat to npm, a crucial package manager for JavaScript managed by npm, Inc., a subsidiary of GitHub. Alderson1337 claims this exploit can enable attackers to hijack npm accounts linked to specific employees within organizations. 

The method involves embedding undetectable backdoors into npm packages used by these employees, potentially compromising numerous devices upon updates. This exploit could have widespread implications for organizational security. Instead of sharing a proof of concept (PoC) publicly, Alderson1337 has invited interested buyers to contact him privately, aiming to maintain the exploit’s confidentiality and exclusivity. If executed successfully, this npm exploit could inject backdoors into npm packages, leading to extensive device compromise. 

However, npm has not yet issued an official statement, leaving the claims unverified. The incident primarily impacts npm Inc., with npmjs.com being the related website. While the potential repercussions are global, the specific industry impact remains undefined. Account takeover (ATO) vulnerabilities represent severe risks where cybercriminals gain unauthorized access to online accounts by exploiting stolen credentials. These credentials are often obtained through social engineering, data breaches, or phishing attacks. 

Once acquired, attackers use automated bots to test these credentials across various platforms, including travel, retail, finance, eCommerce, and social media sites. Users’ reluctance to update passwords and reusing them across different platforms increase the risk of credential stuffing and brute force attacks. Such practices allow attackers to access accounts, potentially leading to identity theft, financial fraud, or misuse of personal information. To mitigate ATO attack risks, experts recommend adopting strong password management practices, including using unique, complex passwords for each account and enabling two-factor authentication (2FA) wherever possible. Regular monitoring for unauthorized account activities and promptly responding to suspicious login attempts are also crucial for maintaining account security. 

While Alderson1337’s claims await verification, this incident underscores the ongoing challenges posed by account takeover vulnerabilities in today’s interconnected digital landscape. Vigilance and collaboration across the cybersecurity community are essential to mitigating these threats and preserving the integrity of online platforms and services.
Read more »
NPM
Cyber Attacks Cyber Hackers Cyberattack Threat CyberCrime Cybersecurity GDPR GitHub North Korea NPM

New Cyber Threat: North Korean Hackers Exploit npm for Malicious Intent

 


There has been an updated threat warning from GitHub regarding a new North Korean attack campaign that uses malicious dependencies on npm packages to compromise victims. An earlier blog post published by the development platform earlier this week claimed that the attacks were against employees of blockchain, cryptocurrency, online gambling, and cybersecurity companies.   

Alexis Wales, VP of GitHub security operations, said that attacks often begin when attackers pretend to be developers or recruiters, impersonating them with fake GitHub, LinkedIn, Slack, or Telegram profiles. There are cases in which legitimate accounts have been hijacked by attackers. 

Another highly targeted attack campaign has been launched against the NPM package registry, aimed at enticing developers into downloading immoral modules by enticing them to install malicious third-party software. There was a significant attack wave uncovered in June, and it has since been linked to North Korean threat actors by the supply chain security firm Phylum, according to Hacker News. This attack wave appears to exhibit similar behaviours as another that was discovered in June. 

During the period from August 9 to August 12, 2023, it was identified that nine packages were uploaded to NPM. Among the libraries that are included in this file are ws-paso-jssdk, pingan-vue-floating, srm-front-util, cloud-room-video, progress-player, ynf-core-loader, ynf-core-renderer, ynf-dx-scripts, and ynf-dx-webpack-plugins. A conversation is initiated with the target and attempts are made to move the conversation to another platform after contacting them. 

As the attacker begins to execute the attack chain, it is necessary to have a post-install hook in the package.json file to execute the index.js file which executes after the package has been installed. In this instance, a daemon process is called Android. The daemon is launched as a dependency on the legitimate pm2 module and, in turn, a JavaScript file named app.js is executed. 

A JavaScript script is crafted in a way that initiates encrypted two-way communications with a remote server 45 seconds after the package is installed by masquerading as RustDesk remote desktop software – "ql. rustdesk[.]net," a spoofed domain posing as the authentic RustDesk remote desktop software. This information entails the compromised host's details and information. 

The malware pings every 45 seconds to check for further instructions, which are decoded and executed in turn, after which the malware checks for new instructions every 45 seconds. As the Phylum Research Team explained, "It would seem to be that the attackers are monitoring the GUIDs of the machines in question and selectively sending additional payloads (which are encoded Javascript code) to the machines of interest in the direction of the GUID monitors," they added. 

In the past few months there have been several typosquat versions of popular Ethereum packages in the npm repository that attempts to make HTTP requests to Chinese servers to retrieve the encryption key from the wallet on the wallet.cba123[.]cn, which had been discovered. 

Additionally, the highly popular NuGet package, Moq, has come under fire since new versions of the package released last week included a dependency named SponsorLink, that extracted the SHA-256 hash of developers' email addresses from local Git configurations and sent them to a cloud service without their knowledge. In addition, Moq has been receiving criticism after new versions released last week came with the SponsorLink dependency. 

Version 4.20.2 of the app has been rolled back as a result of the controversial changes that raise GDPR compliance issues. Despite this, Bleeping Computer reported that Amazon Web Services (AWS) had withdrawn its support for the project, which may have done serious damage to the project's reputation. 

There are also reports that organizations are increasingly vulnerable to dependency confusion attacks, which could've led to developers unwittingly introducing malicious or vulnerable code into their projects, thus resulting in large-scale attacks on supply chains on a large scale. 

There are several mitigations that you can use to prevent dependency confusion attacks. For example, we recommend publishing internal packages under scopes assigned to organizations and setting aside internal package names as placeholders in the public registry to prevent misuse of those names.

Throughout the history of cybersecurity, the recent North Korean attack campaign exploiting npm packages has served as an unmistakable reminder that the threat landscape is transforming and that more sophisticated tactics are being implemented to defeat it. For sensitive data to be safeguarded and further breaches to be prevented, it is imperative that proactive measures are taken and vigilant measures are engaged. To reduce the risks posed by these intricate cyber tactics, organizations need to prioritize the verification of identity, the validation of packages, and the management of internal packages.
Read more »
NPM
GitHub Linux macOS malware NPM

Linux, MacOS Malware Hidden in Fake Browserify NPM Package

 

Over the course of the weekend, Sonatype's automated malware detection system spotted a serious exceptional malware sample published to the NPM registry. NodeJS engineers working with Linux and Apple macOS operating systems were targeted by a brand-new malicious package recognized on the NPM (Node Package Manager) registry. The malignant package, named "web-browserify" looks like the well-known Browserify NPM component which has been downloaded in excess of 160 million times all through its lifecycle, with over 1.3 million weekly downloads on NPM alone, being utilized by 356,000 GitHub repositories. 

Evidently, the malignant component has been downloaded around 50 times before it was taken out from the NPM within two days of its publishing. The package, made by a pseudonymous creator portraying themselves to be Steve Jobs, consolidates many approved open-source components and executes extensive surveillance actions on a contaminated system. Besides, up to this point, none of the main antivirus engines had the option to identify the ELF malware contained with the component. The way that it utilizes genuine software applications to perform dubious exercises could be one of the reasons. 

Browserify's fame comes from it being an open-source JavaScript instrument that permits developers to write cross-platform, NodeJS-style modules that gather for use in the browser. The distinction between the authentic Browserify and the phony one is that the latter abuses legitimate NPM components to bundle inside a malicious, hard to notice Linux and Mac executable. 

The malignant bundle incorporates a manifest file, package.json, a postinstall.js script, and an ELF executable called "run" existing in a compressed archive, run.tar.xz inside the npm component. When a developer is installing the package, the scripts pull out and start the "run" Linux binary from the archive, which demands elevated or root permissions from the user. The extracted "run" binary is immense, around 120 MB in size, and bundles inside itself hundreds of legitimate NPM components. The malware is made totally from open source components and uses these genuine components to organize its extensive surveillance activities. 

The cross-platform “sudo-prompt” module is one of these components and is used by "run" to provoke the client into permitting the malware root privileges on both macOS and Linux distributions.
Read more »
Subscribe to: Posts (Atom)