Scroll Top

Developers beware: Malicious npm packages exfiltrating sensitive data uncovered!


In a recent development, cybersecurity researchers have uncovered a series of malicious npm packages within the npm package registry that are specifically designed to exfiltrate sensitive information from developers. Software supply chain firm Phylum first detected these malicious packages, known as “test” packages, on July 31, 2023. Despite their removal, the packages resurfaced under different, seemingly legitimate names, indicating an evolving and sophisticated threat.

The primary target of this nefarious campaign appears to be the cryptocurrency sector, as evident from references to modules like “rocketrefer” and “binarium.” All these packages were traced back to the npm user “malikrukd4732.” Each package shares a common feature—a JavaScript code (“index.js”) that enables the extraction of valuable information and transmission to a remote server.

“The index.js code is spawned in a child process by the preinstall.js file,” explained the Phylum researcher team. “This action is prompted by the postinstall hook defined in the package.json file, which is executed upon package installation.”

The exfiltration process begins by gathering the current operating system username and working directory. Subsequently, the data is sent via a GET request to a specific server. The exact purpose of this action is currently unknown, but experts believe it may be used to trigger undisclosed server-side actions.

To maximize the potential of data theft, the script searches for files and directories with extensions such as .env, .svn, .gitlab, .hg, .idea, .yarn, .docker, .vagrant, .github, .asp, .js, .php, .aspx, .jspx, .jhtml, .py, .rb, .pl, .cfm, .cgi, .ssjs, .shtml, .env, .ini, .conf, .properties, .yml, and .cfg. The harvested data may include sensitive credentials and valuable intellectual property, which is then packaged into a ZIP archive and sent to the remote server.

Phylum analysts suggested that while some of the targeted directories might contain sensitive information, they are more likely to consist of standard application files, making them less valuable to attackers. The attackers’ primary motive appears to be the extraction of source code or environment-specific configuration files.

This incident is the latest example of malicious code propagating through open-source repositories. In a separate incident, cybersecurity firms ReversingLabs and Sonatype uncovered a PyPI campaign that used suspicious python packages to contact a command-and-control (C2) server and execute potentially malicious commands.

Furthermore, this discovery highlights the dangers of using open-source repositories like npm for spreading malware. Earlier, ReversingLabs revealed a campaign named “Operation Brainleeches,” which involved 13 rogue npm modules used for phishing attacks and supply chain exploitation targeting developers.

The attackers exploited legitimate services like the jsDelivr content delivery network (CDN) to host files used in email phishing attacks. By implanting credential harvesting scripts in applications that incorporated fraudulent npm packages, the attackers aimed to compromise developers and their projects unknowingly.

As the threat landscape continues to evolve, developers are urged to exercise caution and employ security best practices when utilizing third-party packages from open-source repositories like npm. Regular code audits, adherence to security guidelines, and staying informed about emerging threats are essential to safeguarding sensitive data and protecting against supply chain attacks. recommends developers to maintain vigilance, adopt a security-first mindset, and stay updated with the latest security advisories to defend against such threats effectively.

Related Posts

Leave a comment

You must be logged in to post a comment.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.