Focus on source code security and collect the latest information at home and abroad!
Compiled by: Code Guard
Unknown threat actors are attacking developers with malicious npm packages in an attempt to steal source code and configuration files from victim machines.
Checkmarx issued a report stating that "the threat actors behind this activity are related to a malicious activity in 2021. They have been releasing malicious packages since then." Phylum disclosed earlier this month that a large number of npm modules are used to transfer valuable The information is extracted to the remote server.
By design, these packages are configured to execute immediately via post-installation hooks defined in the package.json file, triggering the startup of preinstall.js, allowing index.js to capture system metadata and harvest source code from specific directories. and confidential information.
The attack reaches its peak when the script creates a ZIP archive of the data and transfers it to a predefined FTP server. A common feature connecting all packages is having "lexi2" as the author in the package.json file, allowing Checkmarx to trace the origin of the activity back to 2021. While the exact target of the attack is unclear, the use of package names such as binarium-client, binarium-crm, and rocketrefer suggests that the attack is aimed at the cryptocurrency industry.
Security researcher Yehuda Gelb said, “It’s important to realize that the cryptocurrency industry continues to be a popular target, and we’re not just fighting malicious packages, but also persistent adversaries who spend months or even years planning attacks. important."
Code Guard trial address: https://codesafe.qianxin.com
Open source guard trial address: https://oss.qianxin.com
Recommended reading
North Korean hackers accused of launching large-scale npm malicious package attack
Malicious npm package extracts developer’s sensitive data
NPM ecosystem vulnerable to Manifest obfuscation attack
The npm ecosystem is attacked by a unique execution chain
Malware TurkoRat hidden in NPM malware
Original link
https://thehackernews.com/2023/08/malicious-npm-packages-aim-to-target.html
Title image: Pixabay License
This article was compiled by Qi Anxin and does not represent the views of Qi Anxin. Please indicate "Reprinted from Qianxin Code Guard https://codesafe.qianxin.com" when reprinting.
Qi Anxin code guard (codesafe)
The first domestic product line focusing on software development security.
If you think it’s good, just click “Looking” or “Like”~