Malicious npm Packages Unleash Infostealers and DDoS Botnets
In a recent cybersecurity development, researchers have identified four malicious npm packages embedded with information-stealing malware and distributed denial-of-service (DDoS) capabilities. These packages, published by the npm user deadcode09284814, have been downloaded collectively over 3,000 times, posing significant risks to developers and organizations.
Identified Malicious Packages:
– chalk-tempalte: 825 downloads
– @deadcode09284814/axios-util: 284 downloads
– axois-utils: 963 downloads
– color-style-utils: 934 downloads
Notably, the chalk-tempalte package is a direct clone of the Shai-Hulud worm, which was recently open-sourced by the hacking group TeamPCP. This worm is designed to infiltrate systems, exfiltrate sensitive data, and propagate itself across networks. The threat actor behind chalk-tempalte has made minimal modifications to the original Shai-Hulud code, primarily altering the command-and-control (C2) server and private key configurations. Stolen credentials from infected systems are transmitted to a remote C2 server at 87e0bbc636999b.lhr[.]life. Additionally, the malware exports data to a new public GitHub repository, described as A Mini Sha1-Hulud has Appeared, using the compromised GitHub tokens.
The axois-utils package delivers a Golang-based DDoS botnet known as Phantom Bot. This botnet can launch attacks using HTTP, TCP, and UDP protocols, overwhelming target websites with traffic. To maintain persistence, Phantom Bot adds itself to the Windows Startup folder and creates scheduled tasks on both Windows and Linux systems.
The remaining two packages, @deadcode09284814/axios-util and color-style-utils, function as infostealers. They are designed to siphon SSH keys, environment variables, cloud service credentials, system information, IP addresses, and cryptocurrency wallet data. The exfiltrated data is sent to remote servers at 80.200.28[.]28:2222 and edcf8b03c84634.lhr[.]life, respectively.
Implications and Recommendations:
The emergence of these malicious packages underscores the escalating threat of supply chain attacks within the open-source ecosystem. The open-sourcing of tools like Shai-Hulud has lowered the barrier for threat actors to conduct sophisticated attacks, including supply chain compromises and typosquatting.
Developers and organizations are urged to take immediate action if they have integrated any of these packages into their projects:
1. Uninstall Malicious Packages: Remove the identified packages from your projects to prevent further exploitation.
2. Inspect Development Environments: Examine Integrated Development Environments (IDEs) and coding agents for any malicious configurations or scripts that may have been introduced.
3. Rotate Secrets and Credentials: Change all potentially compromised secrets, including API keys, passwords, and tokens, to mitigate unauthorized access.
4. Audit GitHub Repositories: Search for repositories containing the string A Mini Sha1-Hulud has Appeared to identify and address any unauthorized data exfiltration.
5. Block Suspicious Domains: Implement network controls to prevent communication with known malicious domains associated with these packages.
By proactively addressing these threats, developers can safeguard their projects and maintain the integrity of the software supply chain.
