Introduction to the Threat
Cybersecurity experts have raised alarms about a new threat involving a group of harmful npm packages designed to steal credentials and cryptocurrency keys. Named SANDWORM_MODE by security firm Socket, this attack leverages at least 19 malicious npm packages to infiltrate developer environments. The campaign mimics previous Shai-Hulud attacks, embedding code to extract system data, tokens, secrets, and API keys while using stolen npm and GitHub identities for further spread.
Details of the Malicious Campaign
The malicious packages were released by two npm aliases, official334 and javaorg. These packages include:
Additionally, four dormant packages that currently lack harmful capabilities were identified. The attack also employs a GitHub Action to extract CI/CD secrets via HTTPS with a DNS fallback, including a destructive feature that wipes home directories if access to GitHub and npm is lost.
Advanced Malware Features
A key component of the malware, known as “McpInject,” targets AI coding assistants by deploying a malicious server. This server pretends to be a genuine tool, embedding prompts to access sensitive files like ~/.ssh/id_rsa. Furthermore, the malware targets various coding tools and harvests API keys from several language model providers. The payload includes a polymorphic engine designed to evade detection by altering variables and control flow.
Stages of the Attack Chain
The attack unfolds in two stages. The initial phase captures credentials and crypto keys, while the second, activated after 48 hours, intensifies data harvesting and propagation. Developers are advised to uninstall the identified packages, rotate tokens, and scrutinize configuration files for unauthorized changes. Security firm Socket suggests the threat actors are enhancing their methods, as indicated by certain toggles that disable destructive routines.
Related Security Concerns
The disclosure coincides with reports from Veracode and JFrog about other malicious npm packages. These packages, like “buildrunner-dev” and “eslint-verify-plugin,” are designed to deploy remote access trojans across various operating systems. The .NET malware from “buildrunner-dev” and the complex infection chain from “eslint-verify-plugin” underline the sophisticated nature of these threats, prompting developers to be vigilant against npm package vulnerabilities.
