Over 3 Dozen Data-Stealing Malicious npm Packages Found Targeting Developers

Numerous counterfeit packages, amounting to almost thirty-six, have been unearthed within the npm package repository. These deceptive packages are devised to stealthily extract sensitive data from developers’ systems, as disclosed by the Fortinet FortiGuard Labs research findings.

One group of these counterfeit packages, which go by the names @expue/webpack, @expue/core, @expue/vue3-renderer, @fixedwidthtable/fixedwidthtable, and @virtualsearchtable/virtualsearchtable, contains a concealed JavaScript file with the capability to collect valuable secrets. This includes critical data like Kubernetes configurations, SSH keys, and system metadata such as usernames, IP addresses, and hostnames.

In addition, the cybersecurity firm uncovered another set of four modules, namely binarium-crm, career-service-client-0.1.6, hh-dep-monitoring, and orbitplate. These modules are responsible for the unauthorized retrieval of source code and configuration files. These targeted files and directories might contain highly valuable intellectual property and sensitive information, including various application and service credentials. The stolen data is then packaged into archives and uploaded to an FTP server.

Furthermore, some of these malicious packages have been observed using a Discord webhook for the exfiltration of sensitive data, while a few others are engineered to automatically download and execute potentially malicious executable files from external URLs.

In an unusual twist, a rogue package by the name of @cima/prism-utils employed an install script to  disable TLS certificate validation, setting NODE_TLS_REJECT_UNAUTHORIZED=0. This action potentially exposes connections to vulnerabilities like man-in-the-middle (MitM) attacks.

The cybersecurity company has categorized the identified modules into nine different groups based on code similarities and functions. A majority of these packages utilize install scripts that execute pre or post-install actions to carry out data harvesting.

The researchers have advised end users to remain vigilant for packages employing suspicious install scripts and to exercise caution when dealing with such packages.

Megafea Editors