Malicious npm Packages: A Growing Threat to Cybersecurity
The world of cybersecurity is abuzz with the discovery of four malicious npm packages that deliver infostealers and Phantom Bot DDoS malware. These packages, published by the same npm user, 'deadcode09284814', have raised concerns among security researchers and developers alike.
One of the packages, 'chalk-tempalte', contains a direct clone of the Shai-Hulud worm, an open-source code released by TeamPCP. This clone, with minimal changes, includes its own C2 server and private key, allowing attackers to steal credentials and exfiltrate data to a remote server. The stolen information includes SSH keys, environment variables, cloud credentials, system information, IP address, and cryptocurrency wallet data.
The 'axois-utils' package is designed to deliver a Golang-based distributed denial-of-service (DDoS) botnet called Phantom Bot. This botnet has the capability to flood target websites using HTTP, TCP, and UDP protocols. It also establishes persistence on both Windows and Linux machines by adding the payload to the Windows Startup folder and creating a scheduled task.
The remaining two packages, '@deadcode09284814/axios-util' and 'color-style-utils', siphon SSH keys, environment variables, cloud credentials, system information, IP address, and cryptocurrency wallet data to specific servers. These packages are more straightforward in their functionality but still pose a significant threat to users.
The discovery of these malicious packages highlights the growing trend of supply chain and typo-squatting attacks. As the Shai-Hulud code becomes open-source, threat actors are motivated to conduct these attacks, making them easier to perform. OX Security warns that this is just the first phase of an upcoming wave of supply chain attacks, and developers must remain vigilant.
Users who have downloaded these packages are urged to take immediate action. Uninstalling the packages, finding and deleting malicious configurations from IDEs and coding agents, rotating secrets, checking for GitHub repositories with specific descriptions, and blocking network access to suspicious domains are crucial steps to mitigate the risk. The security of the software supply chain is a collective responsibility, and developers must stay informed and proactive to protect their systems and data.
