Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label malicious npm package. Show all posts
Malware attacks
AI technology Cyber Security Deceptive npm packages Digital Supply Chain Risk malicious npm package Malware attacks

npm Supply Chain Attack Spreads Worm Malware Stealing Developer Secrets Across Compromised Packages

 

Worry grows within the cybersecurity community following discovery of a fresh supply chain threat aimed at the npm platform, where self-replicating malicious code infiltrates public software libraries to harvest confidential information from coders. Though broad consumer impact seems minimal, investigators at Socket and StepSecurity confirm the assault specifically targets niche development setups - environments often overlooked in typical breach patterns. 

Detection came after unusual network activity flagged automated systems, leading analysts to trace payloads back to tampered dependencies uploaded under legitimate project names. Unlike older variants that rely on user interaction, this version activates silently once installed, transmitting credentials to remote servers without visible signs. Researchers emphasize the sophistication lies not in complexity but timing: attacks unfold during build processes, evading standard runtime checks. 

From initial samples, it appears attackers maintain persistence by chaining exploits across multiple packages. Investigation continues into whether source repositories were breached directly or if hijacked maintainer accounts allowed upload privileges. Not far behind the initial breach, several packages tied to Namastex Labs began showing suspicious behavior. One after another, altered forms of @automagik/genie, pgserve, and similar tools appeared online without warning. 

What started as isolated reports now points to a wider pattern unfolding quietly. Though some tainted releases have been pulled, fresh variants continue turning up unexpectedly. Danger comes from how the code spreads itself automatically. Right after a package installs, it acts like a worm - starting fast, grabbing key details from the system it hits. Things such as API tokens show up on the list, along with SSH keys, cloud login info, and hidden codes used in software build tools, containers, or AI setups. 

Off it goes, sending what it finds to servers run by attackers. Despite lacking conclusive proof, analysts observe patterns matching past operations tied to TeamPCP. Similarities emerge in how malware activates upon installation, grabs login details, and uses distributed infrastructure for spreading code and storing stolen data. What makes this malware more than just a thief is how it pushes outward without pause. 

Once inside, it hunts for npm login details and identifies which libraries the developer can upload. Harmful scripts are then inserted and republished, turning trusted tools into hidden entry points. If Python credentials appear, the same process spreads into PyPI. Not just traditional systems are at risk - crypto-linked holdings face exposure too, with data targeted from tools like MetaMask and Phantom. One weak spot in a developer’s setup can ripple outward, showing how quickly risks spread across software ecosystems.
Read more »
Windows
Axios Data Breach http library macOS malicious npm package social engineering attacks supply chain attacks Windows

Axios npm Breach Exposes Threat of Social Engineering Attacks on Open-Source Ecosystem

 



A security incident involving the widely used Axios HTTP library has revealed how attackers are increasingly targeting software maintainers themselves, rather than exploiting code vulnerabilities, to carry out large-scale supply chain attacks.

The issue came to light after Axios maintainers disclosed that an attacker gained access to a contributor’s npm account and used it to publish two compromised versions of the package, 1.14.1 and 0.30.4. These releases included a hidden dependency named plain-crypto-js, which deployed a remote access trojan across macOS, Windows, and Linux systems.

Although the malicious packages were available for only about three hours before being removed, the short exposure window does not reduce the severity. Any system that installed these versions is now considered unsafe. Users have been advised to immediately rotate all credentials, revoke authentication tokens, and assume full compromise of affected environments.

The Axios team confirmed that they have since secured their infrastructure by resetting credentials, cleaning impacted machines, and introducing additional safeguards to prevent similar incidents.

Further investigation by Google Threat Intelligence Group linked the activity to a North Korea-associated threat actor identified as UNC1069. This group, active since at least 2018, is believed to be financially motivated. Attribution was based on malware similarities, including the use of an updated toolset previously tied to the group, as well as overlaps in command-and-control infrastructure observed in earlier operations.


Social Engineering as the Entry Point

The compromise did not begin with a technical flaw. Instead, it started weeks earlier with a carefully orchestrated social engineering attack targeting Axios maintainer Jason Saayman.

Attackers posed as a legitimate organization by replicating its branding, leadership identities, and communication style. They invited the target into what appeared to be a genuine Slack workspace. This environment was not hastily assembled. It contained multiple channels, staged conversations, and curated activity, including links that redirected to real company LinkedIn profiles. Fake user accounts were also created to impersonate employees and known open-source contributors, increasing credibility.

After establishing trust, the attackers scheduled a video meeting that appeared to involve several participants. During the session, the target was shown what looked like a technical issue, specifically a connection-related error. He was then instructed to install an update presented as necessary to resolve the problem.

In reality, this “update” was malicious software that granted the attackers remote access to the system. Once inside, they were able to extract authentication credentials linked to the npm account.


Repeated Tactics Across Multiple Targets

Other maintainers later reported nearly identical experiences. In several cases, attackers attempted to persuade targets to install what they described as a Microsoft Teams software development kit update. When that approach failed, they escalated their efforts by asking victims to execute command-line instructions, including downloading and running scripts via Curl commands.

One such target, Pelle Wessman, described how attackers abandoned the interaction and deleted all communication after he refused to comply.

These methods align with a broader category of attacks sometimes referred to as “ClickFix” techniques, where victims are misled into resolving fake technical issues that ultimately result in malware execution.


Bypassing Security Controls

Because the attackers gained access to already authenticated sessions, they were able to bypass multi-factor authentication protections. This highlights a critical limitation of MFA, which is effective against credential theft but less effective once an active session is compromised.

Importantly, the attackers did not modify Axios’s source code directly. Instead, they inserted a malicious dependency into legitimate package releases, making the compromise significantly harder to detect during routine checks.


A Coordinated Supply Chain Campaign

Research from Socket indicates that this incident is part of a broader, coordinated campaign targeting maintainers across the Node.js ecosystem. Multiple developers, including contributors to widely used packages and even core components, reported receiving similar outreach messages through platforms such as LinkedIn and Slack.

The attackers followed a consistent pattern: initial contact, trust-building within controlled communication channels, followed by staged video calls where victims were prompted to install software or run commands under the pretense of fixing technical issues.

The scale of targeting is particularly concerning. Many of the developers approached are responsible for packages with billions of weekly downloads, meaning a single compromised account can have far-reaching consequences across the global software ecosystem.


Future Outlook 

This incident surfaces a new course in attacker strategy. Rather than focusing solely on software vulnerabilities, threat actors are increasingly exploiting human trust within high-impact projects. Open-source software, which underpins much of today’s digital infrastructure, becomes an attractive target due to its widespread adoption and reliance on maintainers.

Security experts warn that such attacks are likely to increase in frequency. Protecting against them will require not only technical safeguards, but also stronger operational discipline, including stricter access controls, hardware-based authentication, and heightened awareness of social engineering tactics.

The Axios breach ultimately demonstrates that in modern supply chain attacks, the weakest link is often not the code, but the people who maintain it.

Read more »
WhatsApp Web API malware
lotusbail npm malicious npm package malware WhatsApp message stealing WhatsApp Web API malware

Malicious NPM Package Masquerading as WhatsApp Web API Steals Messages and Account Access

 

A harmful package hosted on the Node Package Manager (NPM) registry has been found impersonating a genuine WhatsApp Web API library, with the intent to spy on user activity. Disguised as a legitimate developer tool, the package is designed to siphon WhatsApp messages, harvest contact details, and ultimately take control of user accounts.

The threat originates from a fork of the widely used WhiskeySockets Baileys project. While it offers the same expected functionality, the compromised package was published on npm under the name lotusbail and has been available for at least six months, during which it was downloaded over 56,000 times.

The issue was uncovered by researchers at supply-chain security firm Koi Security. Their analysis revealed that the package is capable of capturing WhatsApp authentication tokens and session keys, monitoring all incoming and outgoing messages, and extracting sensitive data such as contact lists, media, and shared documents.

"The package wraps the legitimate WebSocket client that communicates with WhatsApp. Every message that flows through your application passes through the malware's socket wrapper first," the researchers explain.
"When you authenticate, the wrapper captures your credentials. When messages arrive, it intercepts them. When you send messages, it records them."

According to the researchers, the stolen data is protected before exfiltration using a custom RSA-based encryption scheme combined with several layers of obfuscation. These techniques include Unicode manipulation, LZString compression, and AES encryption, making detection and analysis significantly more difficult.

Beyond data theft, the malicious code also secretly pairs the attacker’s device with the victim’s WhatsApp account using WhatsApp’s own device-linking mechanism. This allows long-term access to the account even if the infected NPM package is later removed. The unauthorized access persists until the victim manually reviews and removes unknown linked devices from their WhatsApp settings.

Koi Security also noted that lotusbail employs 27 infinite loop traps to frustrate debugging efforts, a tactic that likely helped it evade detection for an extended period.

Developers who may have installed the package are strongly advised to uninstall it immediately and review their WhatsApp accounts for any unfamiliar linked devices. Koi Security further warns that simply scanning source code is insufficient; developers should also observe runtime behavior, watching for suspicious outbound connections or abnormal activity during authentication when introducing new dependencies.
Read more »
Subscribe to: Posts (Atom)