Ten malicious packages mimicking legitimate software projects in the npm registry download an information-stealing component that collects sensitive data from Windows, Linux, and macOS systems.
The packages were uploaded to npm on July 4, and remained undetected for a long period due to multiple layers of obfuscation that helped escape standard static analysis mechanisms.
According to researchers at cybersecurity company Socket, the ten packages counted nearly 10,000 downloads and stole credentials from system keyrings, browsers, and authentication services.
At the time of writing, the packages are still available, despite Socket reporting them to npm:
typescriptjs deezcord.js dizcordjs dezcord.js etherdjs ethesjs ethetsjs nodemonjs react-router-dom.js zustand.js
Socket researchers say that the packages use a fake CAPTCHA challenge to appear legitimate and download a 24MB infostealer packaged with PyInstaller.
To lure users, the threat actor used typosquatting, a tactic that leverages misspellings or variations of the legitimate names for TypeScript (typed superset of JavaScript), discord.js (Discord bot library), ethers.js (Ethereum JS library), nodemon (auto-restarts Node apps), react-router-dom (React browser router), and zustand (minimal React state manager).
When searching for the legitimate packages on the npm platform, developers may mistype the name of the legitimate package or pick a malicious one listed in the results.
Upon installation, a ‘postinstall’ script is triggered automatically to spawn a new terminal that matches the host’s detected OS. The script executes ‘app.js’ outside the visible install log and clears the window immediately to evade detection.
The ‘app.js’ file is the malware loader which employs four obfuscation layers: self-decoding eval wrapper, XOR decryption with dynamically generated key, URL-encoded payload, and heavy control-flow obfuscation.
... continue reading