top of page

NPM Ecosystem Targeted by a New Campaign with Unique Execution Chain

Cybersecurity researchers have discovered a new ongoing campaign aimed at the npm ecosystem that leverages a unique execution chain to deliver an unknown payload to targeted systems.

"The packages in question seem to be published in pairs, each pair working in unison to fetch additional resources which are subsequently decoded and/or executed," software supply chain security firm Phylum said in a report released last week.

In order to achieve this objective, the crucial factor is the sequence in which the pair of packages are installed, as the initial module is designed to locally store a token obtained from a remote server. The detection of this campaign was first made on June 11, 2023.

Subsequently, the second package passes this token as a parameter, along with the operating system type, in an HTTP GET request to retrieve a second script from the remote server. A successful execution results in the retrieval of a Base64-encoded string, which is immediately executed, but only if the string is longer than 100 characters.

Phylum disclosed that the endpoint has thus far returned the string "bm8gaGlzdG9yeSBhdmFpbGFibGU=," which translates to "no history available." This implies that either the attack is still a work in progress or it is designed to deliver a payload only at specific times.

An alternative hypothesis for this behavior could be that it depends on the IP address (and consequently the location) from which the request is sent by the first package when generating the token.

The identity of the threat actor responsible for this operation is currently unknown. However, the attack displays characteristics of a "reasonably" advanced supply chain threat, considering the efforts taken by the perpetrator to execute the attack while evading detection by dynamically delivering the next-stage payload.

"It's crucial that each package in a pair is executed sequentially, in the correct order, and on the same machine to ensure successful operation," Phylum noted. "This carefully orchestrated attack serves as a stark reminder of the ever-evolving complexity of modern threat actors in the open-source ecosystem."

This disclosure comes following the discovery by Sonatype of a group of six malicious packages on the Python Package Index (PyPI) repository – broke-rcl, brokescolors, brokescolors2, brokescolors3, brokesrcl, and trexcolors. These packages were uploaded by a single account named broke.

Security researcher and journalist Ax Sharma revealed that "These packages target the Windows operating system and are identical with regards to their versioning.", "Upon installation, these packages simply download and run a trojan hosted on Discord's servers."

Sonatype also uncovered a package called libiobe capable of targeting both Windows and Linux operating systems. On Windows machines, the package deploys an information stealer, while on Linux, it is configured to profile the system and send that information to a Telegram endpoint.

"It is hard to ascertain who would ultimately run packages with such names or who they are specifically targeting," Sharma noted. "While these packages may not be employing any novel payload or tactics, or have obvious targets, they are a testament to the ongoing malicious attacks that are targeting open source software registries like PyPI and npm."

6 views0 comments


bottom of page