Over 3 Dozen Data-Stealing Malicious npm Packages Discovered Concentrating on Builders



Oct 03, 2023THNSoftware Safety / Hacking

Malicious npm Packages

Almost three dozen counterfeit packages have been found within the npm bundle repository which can be designed to exfiltrate delicate knowledge from developer techniques, in accordance with findings from Fortinet FortiGuard Labs.

One set of packages – named @expue/webpack, @expue/core, @expue/vue3-renderer, @fixedwidthtable/fixedwidthtable, and @virtualsearchtable/virtualsearchtable – harbored an obfuscated JavaScript file that is able to gathering helpful secrets and techniques.

This consists of Kubernetes configurations, SSH keys, and system metadata resembling username, IP deal with, and hostname.


The cybersecurity agency mentioned it additionally found one other assortment of 4 modules, i.e., binarium-crm, career-service-client-0.1.6, hh-dep-monitoring, and orbitplate, which ends up in the unauthorized extraction of supply code and configuration recordsdata.

“The focused recordsdata and directories might include extremely helpful mental property and delicate data, resembling numerous utility and repair credentials,” safety researchers Jin Lee and Jenna Wang mentioned. “It then archives these recordsdata and directories and uploads the ensuing archives to an FTP server.”

Among the packages noticed have additionally been discovered leveraging a Discord webhook to exfiltrate delicate knowledge, whereas a couple of others are engineered to robotically obtain and execute a doubtlessly malicious executable file from a URL.

In what’s a novel twist, a rogue bundle named @cima/prism-utils relied on an set up script to disable TLS certificates validation (NODE_TLS_REJECT_UNAUTHORIZED=0), doubtlessly rendering connections susceptible to adversary-in-the-middle (AitM) assaults.


The cybersecurity firm mentioned it categorized the recognized modules into 9 completely different teams primarily based on code similarities and features, with a majority of them using set up scripts that run pre or post-install to hold out the information harvesting.

“Finish customers ought to look ahead to packages that make use of suspicious set up scripts and train warning,” the researchers mentioned.

Discovered this text fascinating? Comply with us on Twitter  and LinkedIn to learn extra unique content material we submit.


Supply hyperlink

What do you think?

Written by TechWithTrends

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings


Is Language A Rating Issue?


Construct an end-to-end MLOps pipeline for visible high quality inspection on the edge – Half 2