Article Details
Scrape Timestamp (UTC): 2023-11-03 06:07:57.064
Source: https://thehackernews.com/2023/11/48-malicious-npm-packages-found.html
Original Article Text
Click to Toggle View
48 Malicious npm Packages Found Deploying Reverse Shells on Developer Systems. A new set of 48 malicious npm packages have been discovered in the npm repository with capabilities to deploy a reverse shell on compromised systems. "These packages, deceptively named to appear legitimate, contained obfuscated JavaScript designed to initiate a reverse shell on package install," software supply chain security firm Phylum said. All the counterfeit packages have been published by an npm user named hktalent (GitHub, X). As of writing, 39 of the packages uploaded by the author are still available for download. The attack chain is triggered post the installation of the package via an install hook in the package.json that calls a JavaScript code to establish a reverse shell to rsh.51pwn[.]com. "In this particular case, the attacker published dozens of benign-sounding packages with several layers of obfuscation and deceptive tactics in an attempt to ultimately deploy a reverse shell on any machine that simply installs one of these packages," Phylum said. The findings arrive close on the heels of revelations that two packages published to the Python Package Index (PyPI) under the garb of simplifying internationalization incorporated malicious code designed to siphon sensitive Telegram Desktop application data and system information. The packages, named localization-utils and locute, were found to retrieve the final payload from a dynamically generated Pastebin URL and exfiltrate the information to an actor-controlled Telegram channel. The development highlights the increasing interest of threat actors in open-source environments, which allows them to set up impactful supply chain attacks that can target several downstream customers all at once. "These packages show a dedicated and elaborate effort to avoid detection via static analysis and visual inspection by employing a variety of obfuscation techniques," Phylum said, adding they "serve as yet another stark reminder of the critical nature of dependency trust in our open-source ecosystems."
Daily Brief Summary
A total of 48 malicious npm packages, which can deploy a reverse shell on compromised systems, were discovered in the npm repository.
The illegitimate packages contained obfuscated JavaScript designed to implement a reverse shell upon installation of the package.
These malicious packages were published by an npm user named hktalent. As of report, there are still 39 packages that are available for download.
The attack is triggered after the installation of the package through an install hook in the package.json that calls a JavaScript code which establishes a reverse shell.
These findings closely follow reports revealing two packages published to the Python Package Index (PyPI) contained malicious code designed to illicitly garner Telegram Desktop application data and system information.
The scenarios highlight the increasing threat actor interest in open-source environments, resulting in impactful supply chain attacks that can target several downstream customers simultaneously.
The malicious npm packages utilized several obfuscation techniques to avoid detection through static analysis or visual inspection.