Select Page

Cybersecurity researchers have discovered a new bunch of malicious packages on the npm package registry that are designed to exfiltrate sensitive developer information.

Software supply chain firm Phylum, which first identified the “test” packages on July 31, 2023, said they “demonstrated increasing functionality and refinement,” hours after which they were removed and re-uploaded under different, legitimate-sounding package names.

While the end goal of the undertaking is not clear, it’s suspected to be a highly targeted campaign aimed at the cryptocurrency sector based on references to modules such as “rocketrefer” and “binarium.”

All the packages were published by the npm user malikrukd4732. A common feature across all the modules is the ability to launch JavaScript (“index.js”) that’s equipped to exfiltrate valuable information to a remote server.

“The index.js code is spawned in a child process by the preinstall.js file,” the Phylum researcher team said. “This action is prompted by the postinstall hook defined in the package.json file, which is executed upon package installation. Therefore, the mere act of installing this package initiates the execution of all this code.”

The first step entails gathering the current operating system username and the current working directory, following which a GET request with the collected data is sent to 185.62.57[.]60:8000/http. The exact motivation behind this action is currently unknown, although it’s believed that the information could be used to trigger “unseen server-side behaviors.”

images from Hacker News