A recent warning has been issued by cybersecurity researchers at Phylum, shedding light on the dangers posed by malicious npm packages that deliver advanced Remote Access Trojans (RATs).
Phylum’s automated risk platform identified a suspicious npm package named “glup-debugger-log” that contains obfuscated files designed to act as a dropper for delivering remote access capabilities. These obfuscated files were detected in the package.json file and were executed through build and test scripts.
The primary method of entry for the malicious code was found to be the bind() method from an obfuscated play.js file after the researchers deobfuscated it. The bind() function exports code that generates a random number and then asynchronously executes start() and share() functions.
The start() function retrieves configuration information, including hard-coded empty strings for keys “p” and “pv”, before performing environment checks through the checkEnv function. These checks include verifying network interfaces, checking for Windows OS, and ensuring that the developer’s desktop folder contains at least 7 programs – possibly targeting active developer machines.
If all the checks pass successfully, the code attempts to execute a local command or download and run a remote payload, while also maintaining a background script for providing remote access. Additional checks are performed, defining a “match” key that can target specific machines based on MAC addresses or IPs, allowing only Windows systems with a minimum of 7 items in the user’s Desktop folder.
After passing the initial environment checks, the code decodes a hardcoded Base64 string to run “cmd.exe” locally or downloads a remote payload from a specified URL. Even after the main process exits, a separate script remains persistent on the compromised system for further malicious activities.
The attacker’s focus seems to be on compromising developers’ systems, as evidenced by the play-share.js script that sets up an HTTP server on port 3004. By sending a query with “cmd” through this channel, the attacker can execute commands on the compromised system using child_process and return the output.
The presence of such advanced RAT capabilities within an npm package underscores the evolving sophistication of malware development within open-source ecosystems. Despite being written in JavaScript, the use of modularity, obfuscation, and environment targeting techniques demonstrate a high level of expertise on the part of the attackers.
This discovery serves as a stark reminder of the importance of vigilance and robust cybersecurity measures, especially for developers and organizations utilizing open-source libraries. The potential for malicious actors to exploit these packages for nefarious purposes highlights the critical need for ongoing security awareness and proactive defense mechanisms to mitigate such threats effectively.