Malicious npm Packages Compromise Developer Security by Stealing Sensitive Credentials
In a recent and alarming development, the cybersecurity community has identified four malicious npm packages designed to infiltrate developer environments and exfiltrate sensitive information. These packages—`chalk-template`, `@deadcode09284814/axios-util`, `axios-utils`, and `color-style-utils`—have been found to steal SSH keys, cloud service credentials, cryptocurrency wallets, and environment variables. One of these packages even has the capability to convert infected machines into nodes of a Distributed Denial of Service (DDoS) botnet.
The Threat Landscape
The discovery of these packages underscores a growing trend where attackers leverage the trust within open-source ecosystems to distribute malicious code. By employing typosquatting techniques—creating package names that closely resemble legitimate ones—threat actors increase the likelihood of unintentional installation by developers. This method exploits the reliance on package managers like npm, which are integral to modern software development.
Detailed Analysis of the Malicious Packages
1. `chalk-template`: This package is a near-identical clone of the Shai-Hulud infostealer, an open-source malware whose source code was publicly leaked on GitHub by the group TeamPCP. The threat actor copied the code with minimal modification, embedding their own command-and-control (C2) server address (`87e0bbc636999b[.]lhr[.]life`) and private key, then uploaded the working package directly to npm. The lack of obfuscation, a stark contrast to the original Shai-Hulud deployments, confirms this is a copycat actor rather than TeamPCP itself. Infected machines upload stolen credentials to a new GitHub repository, mirroring the original Shai-Hulud behavior.
2. `@deadcode09284814/axios-util`: This package functions as a straightforward infostealer, collecting SSH keys, environment variables, and cloud credentials from AWS, GCP, and Azure. The exfiltrated data is transmitted to `80[.]200[.]28[.]28:2222`, a server controlled by the attackers.
3. `axios-utils`: Beyond credential theft, this package delivers a GoLang-based Phantom Bot that establishes persistence on the infected machine. This bot not only survives package deletion but also incorporates DDoS capabilities, enabling it to flood targets with HTTP, TCP, UDP, and reset requests.
4. `color-style-utils`: This package is an unobfuscated infostealer that harvests IP addresses, geolocation data, and cryptocurrency wallets. The stolen information is exfiltrated to `edcf8b03c84634[.]lhr[.]life`, another domain under the attackers’ control.
Implications for Developers
The presence of these malicious packages in the npm registry poses significant risks to developers and organizations. Installing any of these packages can lead to unauthorized access to sensitive information, financial loss, and potential legal ramifications. The ability of one package to transform systems into DDoS botnet nodes further amplifies the threat, as it can be used to launch attacks against other targets, causing widespread disruption.
Recommended Actions
Developers who have installed any of these packages should take immediate action:
– Uninstall Malicious Packages: Remove all instances of `chalk-template`, `@deadcode09284814/axios-util`, `axios-utils`, and `color-style-utils` from your projects.
– Revoke and Rotate Credentials: Assume that any credentials, SSH keys, or environment variables accessible during the period these packages were installed are compromised. Revoke and rotate them promptly.
– Audit Systems for Persistence Mechanisms: Given the persistence capabilities of the Phantom Bot, conduct thorough audits to identify and remove any unauthorized processes or configurations.
– Monitor Network Traffic: Implement monitoring to detect unusual outbound connections, particularly to the identified C2 domains and IP addresses.
– Enhance Dependency Management Practices: Adopt tools and practices that verify the integrity and authenticity of packages before inclusion in projects. Regularly review and update dependencies to mitigate risks associated with supply chain attacks.
Indicators of Compromise (IOCs)
To assist in identifying potential compromises, the following IOCs have been associated with this campaign:
– C2 Domains:
– `87e0bbc636999b[.]lhr[.]life`
– `b94b6bcfa27554[.]lhr[.]life`
– `edcf8b03c84634[.]lhr[.]life`
– C2 IP Address and Port:
– `80[.]200[.]28[.]28:2222`
Note: IP addresses and domains are intentionally defanged (e.g., `[.]`) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Conclusion
The discovery of these malicious npm packages highlights the critical need for vigilance in dependency management and the importance of maintaining robust security practices within the development community. By staying informed and proactive, developers can protect their projects and organizations from the evolving threats posed by supply chain attacks.
