HQ/EMEAFind out how we can help your business
A new infostealer campaign has infected at least 10 npm packages. Reports revealed that hackers have updated the packages with malicious codes to target developers.
Initial assessment of the compromised npm packages could allegedly allow hackers to steal environment variables and other sensitive information from developers’ workstations. Moreover, the campaign targeted several crypto-related packages, including the popular ‘country-currency-map’ package, which was downloaded hundreds of times every week.
Researchers discovered the dangerous malware, which is contained in two deeply obfuscated scripts, which are executed when the package is installed. These researchers also claim that the JavaScript collects the device’s environment variables and transfers them to the remote host.
Hackers commonly target environment variables since they contain API keys, database credentials, cloud credentials, and encryption keys that can be exploited in subsequent attacks.
The infostealer campaign has infected the npm packages with similar malicious codes.
According to investigations, the infostealer campaign launched identical malicious codes in all the repositories, and most have had a clean record for years, but they were probably compromised somehow.
The researchers suspect that the hijack was caused by old npm maintainer accounts being compromised, either through credential stuffing or an expired domain takeover, both of which are common scenarios described in npm documentation.
Given the simultaneous timing of the attacks on several packages from different maintainers, the first theory seems more likely than well-orchestrated phishing attempts.
All these packages, except country-currency-map, are still available in their newest versions on npm. Therefore, downloading them will infect a dev’s projects with info-stealers.
The maintainer of the country-currency-map package deprecated the harmful version and issued a message instructing developers to use the safer version instead. The fact that the infected projects’ GitHub repositories were not updated with malware lends credence to the theory that insecure npm maintainer accounts enacted the attack.
Although npm has made 2FA required for favoured projects, some of those affected by the new campaign are older packages that were last updated some years ago. Therefore, their maintainers may no longer be actively engaged.
Developers should be wary of these infected npm packages as they contain infostealers that can severely compromise their data and devices.
