EXECUTIVE SUMMARY
The threat actor behind this attack is a new entity that has emerged in the cybercrime landscape, deploying malicious npm packages containing infostealer malware. This campaign targets developers and organisations that rely on npm for package dependencies, with the primary goal of stealing sensitive data, including credentials, crypto wallets, and environment variables. The actor's methods involve uploading non-obfuscated Shai-Hulud clones and DDoS botnet packages to npm, exploiting the platform's openness and lack of effective quality control measures.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The threat actor behind this attack is a new entity that has emerged in the cybercrime landscape, deploying malicious npm packages containing infostealer malware. This campaign targets developers and organisations that rely on npm for package dependencies, with the primary goal of stealing sensitive data, including credentials, crypto wallets, and environment variables. The actor's methods involve uploading non-obfuscated Shai-Hulud clones and DDoS botnet packages to npm, exploiting the platform's openness and lack of effective quality control measures.[emaillocker id="1283"]
The malware infects systems through npm package dependencies, with the malicious code being executed when the package is installed. Once inside, the malware uses various techniques to persist on the system, including adding persistence logic to stay on the target machine even after the npm package is deleted. The malware then exfiltrates sensitive data to remote C2 servers, using the stolen credentials to upload the information to new GitHub repositories.
The actor maintains control over the malware by using a C2 server to receive stolen data, with the malware also containing a DDoS botnet targeting websites to flood them with HTTP, TCP, UDP, and Reset requests. This threat is significant for organisations that rely on npm for package dependencies, as it highlights the importance of implementing effective quality control measures and monitoring package installations. The actor's use of non-obfuscated Shai-Hulud clones and DDoS botnet packages makes it difficult to detect and recover from the attack. To mitigate this threat, organisations should ensure that they have up-to-date patching and monitoring in place, with a focus on identifying and eliminating code-level issues across the entire software development lifecycle. Additionally, organisations should implement robust endpoint protection and take steps to educate developers about the risks associated with using npm and other package dependencies.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1195.001 | Supply Chain Compromise | Compromise Software Dependencies and Development Tools |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Persistence | T1543.001 | Create or Modify System Process | Launch Agent |
| Credential Access | T1552.001 | Unsecured Credentials | Credentials In Files |
| Command and Control | T1043 | Commonly Used Port | — |
| Exfiltration | T1048.003 | Exfiltration Over Alternative Protocol | Exfiltration Over Unencrypted Non-C2 Protocol |
REFERENCES:
reports contain further technical details:
https://cybersecuritynews.com/malicious-npm-packages-steal-keys/