Article Details
Scrape Timestamp (UTC): 2024-01-23 14:25:55.884
Source: https://thehackernews.com/2024/01/malicious-npm-packages-exfiltrate-1600.html
Original Article Text
Click to Toggle View
Malicious NPM Packages Exfiltrate 1,600+ Developer SSH Keys via GitHub. Two malicious packages discovered on the npm package registry have been found to leverage GitHub to store Base64-encrypted SSH keys stolen from developer systems on which they were installed. The modules named warbeast2000 and kodiak2k were published at the start of the month, attracting 412 and 1,281 downloads before they were taken down by the npm maintainers. The most recent downloads occurred on January 21, 2024. Software supply chain security firm ReversingLabs, which made the discovery, said there were eight different versions of warbeast2000 and more than 30 versions of kodiak2k. Both the modules are designed to run a postinstall script after installation, which is designed to retrieve and execute two different JavaScript files. While warbeast2000 attempts to access the private SSH key, kodiak2k is designed to look for a key named "meow," raising the possibility that the threat actor likely used a placeholder name during the early stages of the development. "This second stage malicious script reads the private SSH key stored in the id_rsa file located in the <homedir>/.ssh directory," security researcher Lucija Valentić said. "It then uploaded the Base64-encoded key to an attacker-controlled GitHub repository." Subsequent versions of kodiak2k were found to execute a script found in an archived GitHub project hosting the Empire post-exploitation framework. The script is capable of launching the Mimikatz hacking tool to dump credentials from process memory. "The campaign is just the latest example of cybercriminals and malicious actors using open source package managers and related infrastructure to support malicious software supply chain campaigns that target development organizations and end-user organizations," Valentić said. SaaS Security Masterclass: Insights from 493 Companies Watch this webinar to discover Critical SaaS Security Do's and Don'ts based on a study of 493 companies, offering real-world comparisons and benchmarks.
Daily Brief Summary
Two npm packages, warbeast2000 and kodiak2k, were found stealing SSH keys from developers and storing them on GitHub.
The packages were downloaded over 1,600 times before npm maintainers removed them.
The security firm ReversingLabs identified multiple versions of the malicious packages, indicating an ongoing threat.
The postinstallation scripts of these packages could execute additional malicious JavaScript files to access private SSH keys.
The kodiak2k package was also seen executing a script capable of launching Mimikatz to extract credentials from memory.
This incident highlights the continued risk of malicious software within open source package repositories and the impact on software supply chain security.
The report also includes an awareness promotion for a SaaS Security Masterclass webinar derived from insights of a study spanning 493 companies.