Cybersecurity researchers have discovered a new ongoing campaign aimed at the npm ecosystem that leverages a unique execution chain to deliver an unknown payload to targeted systems.
“The packages in question seem to be published in pairs, each pair working in unison to fetch additional resources which are subsequently decoded and/or executed,” software supply chain security firm Phylum said in a report released last week.
To that end, the order in which the pair of packages are installed is paramount to pulling off a successful attack, as the first of the two modules is designed to store locally a token retrieved from a remote server. The campaign was first discovered on June 11, 2023.
The second package subsequently passes this token as a parameter alongside the operating system type to an HTTP GET request to acquire a second script from the remote server. A successful execution returns a Base64-encoded string that is immediately executed but only if that string is longer than 100 characters.
images from Hacker News