Deceptive npm Bundles Uncovered Using Picture Files to Conceal Backdoor Script

Jul 16, 2024NewsroomOpen Source / Software Supply Chain

Cybersecurity experts have pinpointed two duplicitous bundles on the npm parcel registry which masked backdoor script to conduct harmful directives dispatched from a distant server.

The bundles under scrutiny – img-aws-s3-object-multipart-copy and legacyaws-s3-object-multipart-copy – have been retrieved 190 and 48 times each. At present, they have been discontinued by the npm security crew.

“They comprised intricate command and control functionality camouflaged in picture files that would be triggered during bundle installation,” software supply chain safety agency Phylum stated in an assessment.

The bundles are crafted to mimic a genuine npm repository named aws-s3-object-multipart-copy, but feature a modified variant of the “index.js” script to launch a JavaScript script (“loadformat.js”).

Regarding the JavaScript script, it is built to handle three illustrations — showcasing the official emblems for Intel, Microsoft, and AMD — with the illustration representing Microsoft’s emblem utilized to extract and enact the insidious content.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: 2024NewsroomOpen, Chain Cybersecurity, have, identified, malicious, researchers, software, Source, supply, Jul