On July 31, 2023, Phylum researchers observed the publication of ten different “test” packages on the npm package manager that were developed to exfiltrate sensitive developer source code and other confidential information.
All of these packages were published by the same npm user, malikrukd4732, and contain three files.
“The index.js code is spawned in a child process by the preinstall.js file. This action is prompted by the postinstall hook defined in the package.json file, which is executed upon package installation. Therefore, the mere act of installing this package initiates the execution of all this code.” reads the advisory published by Phylum.
The index.js gathers the current OS username and the current working directory, then it searches through directories on the system looking for files with specific extensions or in specific directories. The script creates ZIP archives of the directories it finds and finally, it attempts to upload them to an FTP server with IP address 185[.]62[.]57[.]60 using the username root and password TestX@!#33.
The files and directories targeted by the malicious code could potentially contain developers sensitive data, such as credentials for numerous applications and services.
The researchers speculate the packages are part of a highly-targeted attack on developers working in the cryptocurrency sector.
“This seems to be another highly-targeted attack on developers involved in the cryptocurrency sphere. As of now, we’re uncertain about what @rocketrefer pertains to, but it could potentially be linked to CryptoRocket. According to its website’s meta description, CryptoRocket is a “bitcoin forex broker offering unrivalled[sic] trading conditions such as ultra-tight spreads and straight through processing.” Meanwhile, Binarium appears to be an options broker that provides access to a wide range of financial markets, including forex and cryptocurrency.” concludes the report. “Regardless this serves as yet another stark reminder of how important it is to trust your dependencies.”
It’s not uncommon to find malicious packages on NPM, in May ReversingLabs discovered two malicious packages, respectively named nodejs-encrypt-agent and nodejs-cookie-proxy-agent, in the npm package repository containing an open-source info-stealer called TurkoRat.
Organizations should pay attention to the packages that were used by their development teams paying attention to anomalies such as typos or strange version numbers.