New Supply Chain Attack Campaign Targets Developers in npm Ecosystem
A recent supply chain attack campaign has emerged, specifically targeting developers within the npm ecosystem. Researchers from OX Security have identified four malicious packages that are actively stealing sensitive information, including SSH keys, cloud credentials, and cryptocurrency wallets. This alarming trend reflects the increasing danger of typosquatting attacks and the reuse of open-source malware, raising awareness about the vulnerability of software supply chains.
The malicious packages, identified as @deadcode09284814/axios-util, axois-utils, chalk-tempalte, and color-style-utils, were all published under a single npm account. Collectively, they amassed over 2,600 downloads per week. However, researchers have underscored a severe risk: any installation of these packages results in immediate compromise, as every available version contains built-in infostealer functionality.
Among these packages, chalk-tempalte stands out due to its incorporation of a near-identical variant of the Shai-Hulud malware. This strain had been publicly leaked just days prior by a group known as TeamPCP, making it readily accessible to nefarious actors looking for quick exploits. In a report released by OX Security, it was indicated that the attacker responsible for chalk-tempalte likely copied the leaked source code with minimal alterations, maintaining the original script’s structure and offering an unobfuscated view of the malware. This characteristic suggests a pattern of opportunistic reuse rather than a more calculated development effort.
The Shai-Hulud clone functions as a highly sophisticated infostealer, capable of extracting sensitive information such as user credentials, cryptocurrency wallet details, and other critical environment variables. It then relays this stolen data to a command-and-control server located at 87e0bbc636999b.lhr.life, also mirroring previous malware behaviors by uploading sensitive information to GitHub repositories controlled by the attackers. The presence of embedded public keys and identical logic flows within the code further corroborate its direct lineage to the original leaked source.
The other malicious packages exhibit varying capabilities, exemplifying a multi-faceted attack strategy. The @deadcode09284814/axios-util package is particularly noteworthy for its focus on harvesting SSH keys, environment variables, and cloud credentials from platforms such as AWS, Google Cloud, and Azure. It transmits collected data to a remote server located at 80.200.28.28 over port 2222, reflecting a straightforward yet effective method for data exfiltration.
In a different approach, axois-utils deploys a more aggressive payload that employs what is termed a "phantom bot." This component establishes persistence on infected systems, allowing for ongoing operations even when the npm package is removed. Partially written in Go, the bot converts compromised machines into nodes within a Distributed Denial of Service (DDoS) botnet, capable of executing HTTP, TCP, UDP, and reset-based flooding attacks. This evolution marks a critical shift from mere data theft to the active exploitation of the compromised infrastructure.
The fourth malicious package, color-style-utils, operates as a simpler infostealer devoid of advanced evasion techniques. This package collects basic system information, including IP address, geolocation data, and cryptocurrency wallet details, and sends this information to yet another attacker-controlled domain at edcf8b03c84634.lhr.life. Despite its straightforward nature, the lack of obfuscation indicates that speed of deployment was prioritized over stealth.
Researchers have observed that the campaign likely employs typosquatting techniques, specifically targeting developers who may be searching for popular packages like Axios. The subtle misspellings in the package names increase the chances of accidental installations, particularly within rapid development environments where developers are often pressed for time.
Developers who may have inadvertently installed any of these malicious packages are strongly urged to take immediate action. They should uninstall the compromised packages, rotate all potentially exposed credentials, and conduct a thorough inspection of their systems for any lingering malicious persistence mechanisms. Additionally, scanning repositories for unique strings such as “A Mini Sha1-Hulud has Appeared” can aid in identifying compromised environments.
This incident serves as a sobering reminder of how swiftly leaked malware can be weaponized for real-world attacks, drastically amplifying the threat landscape. It underscores the critical need for enhanced dependency verification practices within the software supply chain, advocating for a more cautious approach to package management in order to safeguard against similar threats in the future.