Cybersecurity researchers have discovered a software supply chain attack that has remained active for over a year on the npm package registry by starting off as an innocuous library and later adding malicious code to steal sensitive data and mine cryptocurrency on infected systems.
The package, named @0xengine/xmlrpc, was originally published on October 2, 2023 as a JavaScript-based XML-RPC server and client for Node.js. It has been downloaded 1,790 times to date and remains available for download from the repository.
Checkmarx, which discovered the package, said the malicious code was strategically introduced in version 1.3.4 a day later, harboring functionality to harvest valuable information such as SSH keys, bash history, system metadata, and environment variables every 12 hours, and exfiltrate it via services like Dropbox and file.io.
“The attack achieved distribution through multiple vectors: direct npm installation and as a hidden dependency in a legitimate-looking repository,” security researcher Yehuda Gelb said in a technical report published this week.
The second approach involves a GitHub project repository named yawpp (short for “Yet Another WordPress Poster”) that purports to be a tool designed to programmatically create posts on the WordPress platform.
Its “package.json” file lists the latest version of @0xengine/xmlrpc as a dependency, thereby causing the malicious npm package to be automatically downloaded and installed when users attempt to set up the yawpp tool on their systems.
It’s currently not clear if the developer of the tool deliberately added this package as a dependency. The repository has been forked once as of writing. Needless to say, this approach is another effective malware distribution method as it exploits the trust users place in package dependencies.
Once installed, the malware is designed to collect system information, establish persistence on the host through systemd, and deploy the XMRig cryptocurrency miner. As many as 68 compromised systems have been found to actively mine cryptocurrency through the attacker’s Monero wallet.
Furthermore, it’s equipped to constantly monitor the list of running processes to check for the presence of commands like top, iostat, sar, glances, dstat, nmon, vmstat, and ps, and terminate all mining-related processes if found. It’s also capable of suspending mining operations if user activity is detected.
“This discovery serves as a stark reminder that a package’s longevity and consistent maintenance history do not guarantee its safety,” Gelb said. “Whether initially malicious packages or legitimate ones becoming compromised through updates, the software supply chain requires constant vigilance – both during initial vetting and throughout a package’s lifecycle.”
The disclosure comes as Datadog Security Labs uncovered an ongoing malicious campaign targeting Windows users that uses counterfeit packages uploaded to both npm and the Python Package Index (PyPI) repositories with the end goal of deploying open-source stealer malware known as Blank-Grabber and Skuld Stealer.
The company, which detected the supply chain attack last month, is tracking the threat cluster under the name MUT-8694 (where MUT stands for “mysterious unattributed threat”), stating it overlaps with a campaign that was documented by Socket earlier this month as aiming to infect Roblox users with the same malware.
As many as 18 and 39 phony unique packages have been uploaded to npm and PyPI, with the libraries attempting to pass off as legitimate packages through the use of typosquatting techniques.
“The use of numerous packages and involvement of several malicious users suggests MUT-8694 is persistent in their attempts to compromise developers,” Datadog researchers said. “Contrary to the PyPI ecosystem, most of the npm packages had references to Roblox, an online game creation platform, suggesting that the threat actor is targeting Roblox developers in particular.”
