HQ/EMEAFind out how we can help your business
New cybersecurity research discovered an ongoing cybercriminal campaign that targets the NPM environment. Researchers found the campaign earlier this month after the attackers used a pair of published packages that function in tandem to retrieve additional harmful resources.
Based on reports, the campaign should install the packages in the correct sequence to execute the process correctly. The researchers claimed that the campaign operators designed the first package to store a token acquired from a remote server locally.
After the first package, the second package passes the token from the first package to obtain another script from the remote server. This process returns a Base-64 string that the package executes only if its length outstrips 100 characters.
Threat analysts found that the endpoint has consistently returned the string and become a decoded “no history available.”
The NPM threat could be a targeted attack or a dry run for testing.
According to an investigation, the earlier-mentioned result is that either the attack technique is still under development or the malicious packages are intentionally delivered to specific NPM or PyPI targets.
In addition, another possibility is that the attack depends on the IP address from which the attack process sends the request when generating the token.
The researchers have yet to link the attack to any threat group. However, they noted it is a carefully orchestrated supply chain attack initiative. Furthermore, the threat actors have adopted a dynamic delivery method for the subsequent payload to bypass security detections.
Separate research revealed six malicious packages on the PyPI repository, uploaded by an actor or account named “broke.” After successful installation, these malicious packages could download and run a trojan hosted on Discord servers. The research company also explained that one of the six packages could target multiple operating systems, such as Linux and Windows.
The sudden appearance of malicious packages in the PyPi and NPM landscape should also be a starting point where users should adopt more robust security protocols and heightened vigilance. These methods allow all users to protect against the potential risks posed by these malicious packages.
Lastly, maintainers, users, and developers should verify the authenticity and integrity of all packages before installing them on devices.
