Npm Packages Exploit Crypto Keys and CI Secrets

Npm Packages Exploit Crypto Keys and CI Secrets

Posted on By CWS

Introduction to the Threat

Cybersecurity experts have raised alarms about a new threat involving a group of harmful npm packages designed to steal credentials and cryptocurrency keys. Named SANDWORM_MODE by security firm Socket, this attack leverages at least 19 malicious npm packages to infiltrate developer environments. The campaign mimics previous Shai-Hulud attacks, embedding code to extract system data, tokens, secrets, and API keys while using stolen npm and GitHub identities for further spread.

Details of the Malicious Campaign

The malicious packages were released by two npm aliases, official334 and javaorg. These packages include:

Additionally, four dormant packages that currently lack harmful capabilities were identified. The attack also employs a GitHub Action to extract CI/CD secrets via HTTPS with a DNS fallback, including a destructive feature that wipes home directories if access to GitHub and npm is lost.

Advanced Malware Features

A key component of the malware, known as “McpInject,” targets AI coding assistants by deploying a malicious server. This server pretends to be a genuine tool, embedding prompts to access sensitive files like ~/.ssh/id_rsa. Furthermore, the malware targets various coding tools and harvests API keys from several language model providers. The payload includes a polymorphic engine designed to evade detection by altering variables and control flow.

Stages of the Attack Chain

The attack unfolds in two stages. The initial phase captures credentials and crypto keys, while the second, activated after 48 hours, intensifies data harvesting and propagation. Developers are advised to uninstall the identified packages, rotate tokens, and scrutinize configuration files for unauthorized changes. Security firm Socket suggests the threat actors are enhancing their methods, as indicated by certain toggles that disable destructive routines.

Related Security Concerns

The disclosure coincides with reports from Veracode and JFrog about other malicious npm packages. These packages, like “buildrunner-dev” and “eslint-verify-plugin,” are designed to deploy remote access trojans across various operating systems. The .NET malware from “buildrunner-dev” and the complex infection chain from “eslint-verify-plugin” underline the sophisticated nature of these threats, prompting developers to be vigilant against npm package vulnerabilities.

The Hacker News Tags:, , , , , , , ,

Related Posts

.NET SOAPwn Flaw Opens Door for File Writes and Remote Code Execution via Rogue WSDL .NET SOAPwn Flaw Opens Door for File Writes and Remote Code Execution via Rogue WSDL The Hacker News
Critical MetInfo CMS Flaw Exploited for Code Execution Critical MetInfo CMS Flaw Exploited for Code Execution The Hacker News
Chinese Hackers Deploy MarsSnake Backdoor in Multi-Year Attack on Saudi Organization Chinese Hackers Deploy MarsSnake Backdoor in Multi-Year Attack on Saudi Organization The Hacker News
Enhancing Security: The Rise of Autonomous Purple Teaming Enhancing Security: The Rise of Autonomous Purple Teaming The Hacker News
Matrix Push C2 Uses Browser Notifications for Fileless, Cross-Platform Phishing Attacks Matrix Push C2 Uses Browser Notifications for Fileless, Cross-Platform Phishing Attacks The Hacker News
How to Streamline Zero Trust Using the Shared Signals Framework How to Streamline Zero Trust Using the Shared Signals Framework The Hacker News