A recent discovery has shed light on as many as 60 malicious npm packages found in the package registry, equipped with functionality to extract hostnames, IP addresses, DNS servers, and user directories to a Discord-controlled endpoint. Socket security researcher Kirill Boychenko revealed that these packages, published under three different accounts, have been downloaded over 3,000 times. The install-time script included in these packages is capable of targeting Windows, macOS, or Linux systems, making them potentially dangerous for any infected workstation or continuous-integration node.
The three accounts responsible for publishing these malicious npm packages are bbbb335656, cdsfdfafd1232436437, and sdsds656565, all of which have since been taken down from npm. The code embedded in these packages is designed to fingerprint every machine that installs them and communicates the gathered information to a Discord webhook. This data includes host details, system DNS servers, network interface card (NIC) information, and internal and external IP addresses, enabling threat actors to map networks and identify valuable targets for future attacks.
In addition to the malicious npm packages, a set of eight npm packages masquerading as helper libraries for JavaScript frameworks like React, Vue.js, and Vite were also discovered. These packages deploy destructive payloads once installed and have been downloaded over 6,200 times. Socket security researcher Kush Pandya highlighted that these packages go undetected by posing as legitimate plugins, only to corrupt data, delete critical files, or crash systems once executed. Some of them target specific JavaScript frameworks, manipulating their core functions or tampering with browser storage mechanisms.
Moreover, the abuse of open-source repositories has extended to Microsoft’s Visual Studio Code (VS Code) Marketplace, where malicious extensions have been identified targeting Solidity developers. These extensions, such as solaibot, among-eth, and blankebesxstnion, disguise harmful code within genuine features and steal cryptocurrency wallet credentials from victim Windows systems. The threat actor behind these malicious extensions, identified as MUT-9332, also utilizes complex infection chains and obfuscated malware to evade detection and continue their malicious activities.
The discovery of these malicious npm packages and VS Code extensions underscores the importance of vigilance in the cybersecurity landscape. Threat actors are constantly evolving their tactics to evade detection and compromise systems, highlighting the need for robust security measures and awareness among developers and users alike. Stay informed about the latest cybersecurity threats and follow reputable sources for updates on emerging risks in the digital ecosystem.
Source link