Malicious npm Library Steals Data and Mines Crypto
Title: NPM Supply Chain Attack: Malicious Code Discovered in Popular JavaScript Package
Introduction
Cybersecurity experts have uncovered a significant software supply chain attack affecting the npm package registry, with malicious code hidden in a seemingly innocuous library. The package, known as @0xengine/xmlrpc, was first published on October 2, 2023, and has been active for over a year, targeting unsuspecting developers. This attack demonstrates the urgent need for vigilance in software supply chain security as it exploits trusted dependencies to steal sensitive data and mine cryptocurrency.
Understanding the NPM Package Attack
The malicious code was stealthily introduced in version 1.3.4 of the @0xengine/xmlrpc package, which is a JavaScript-based XML-RPC server and client for Node.js. According to Checkmarx, the first day after its release, the package began harvesting critical information from infected systems, including:
- SSH keys
- Bash history
- System metadata
- Environment variables
This sensitive information is exfiltrated through services like Dropbox and file.io every 12 hours.
Distribution Methods of Malicious Code
Yehuda Gelb, a security researcher, outlined two primary vectors for distributing the malicious npm package:
-
Direct npm Installation: Users downloading the package directly from the npm repository unknowingly install the compromised code.
- Hidden Dependency in GitHub Projects: The attack also spreads through a GitHub project called yawpp (Yet Another WordPress Poster), which includes @0xengine/xmlrpc as a dependency. When users set up yawpp, the malicious package is automatically downloaded, leading to potential infections.
It remains uncertain whether the yawpp developer intentionally included the malicious package. However, this method effectively exploits the trust users place in legitimate-looking package dependencies.
Impact and Malicious Activities
Once installed, the malware establishes persistence on the host system using systemd and deploys the XMRig cryptocurrency miner. So far, around 68 systems have been identified as actively mining cryptocurrency for the attackers. Notably, the malware continuously monitors running processes to terminate any mining-related activities if commands like top
, iostat
, or ps
are detected.
Gelb emphasized the importance of being cautious: "A package’s longevity and maintenance history do not guarantee its safety. Vigilance is necessary throughout a package’s lifecycle."
Ongoing Threat Landscape
This incident is part of a broader campaign identified by Datadog Security Labs, which is tracking similar malicious activities targeting Windows users. This campaign involves counterfeit packages uploaded to both npm and the Python Package Index (PyPI) repositories, aiming to deploy malware like Blank-Grabber and Skuld Stealer.
Researchers noted that 18 and 39 counterfeit packages have surfaced on npm and PyPI, respectively, often using typosquatting techniques to appear legitimate. The focus on Roblox developers is particularly concerning, as many of these npm packages reference the popular online game creation platform.
Conclusion
The revelation of this software supply chain attack highlights the critical importance of maintaining vigilance in software security practices. As a precaution, developers are encouraged to thoroughly vet their dependencies and stay informed about potential threats.
Do you find this information valuable? Share your thoughts in the comments below, and consider following us on Twitter and LinkedIn for more updates on cybersecurity and software safety.