Deceptive npm Packages Discovered Using Picture Files to Conceal Backdoor Scripts
Two deceitful packages have been pinpointed by cybersecurity analysts on the npm package registry, which disguised backdoor scripts to carry out harmful commands sent from a distant server.
The respective packages – img-aws-s3-object-multipart-copy and legacyaws-s3-object-multipart-copy – have been acquired 190 and 48 times each. Presently, they have been removed by the npm security unit.
“These packages featured advanced command and control capabilities concealed within picture files that would get executed at the time of installing the package,” software supply chain security organization Phylum stated in an examination.
The packages were crafted to impersonate a valid npm library known as aws-s3-object-multipart-copy, albeit they arrived with a revised edition of the “index.js” script to execute a JavaScript file (“loadformat.js”).
Consequently, the JavaScript script is configured to handle three photos — showcasing the logos for Intel, Microsoft, and AMD — with the Microsoft logo image being leveraged to extract and enact the malicious content.
The operation functions by registering the new customer with a command-and-control (C2) server through transmitting the hostname and OS details. Subsequently, it endeavors to execute commands issued by the attacker at intervals of every five seconds.
In the ultimate phase, the results of the command execution are transmitted back to the attacker through a designated endpoint.
“Over the past few years, we’ve witnessed a notable surge in the sophistication and quantity of deceitful packages published to open source environments,” Phylum disclosed.
“These attacks have been rather effective. It is utterly crucial that developers and security entities remain acutely aware of this reality and maintain a high level of alertness pertaining to the open source libraries they utilize.”
About Author
