Malicious npm Packages Target Developers
Security researchers from OX Security have identified four malicious packages on the npm registry that infect developer systems with information stealing malware and a DDoS botnet. The packages, published by a user named deadcode09284814, include chalk-tempalte, @deadcode09284814/axios-util, axois-utils, and color-style-utils. They have accumulated thousands of downloads collectively and remain available for installation.
Varied Payloads from a Single Publisher
Despite sharing the same publisher, each package delivers distinct malicious functionality. The axois-utils package deploys Phantom Bot, a Golang based DDoS botnet capable of launching HTTP, TCP, and UDP flood attacks. It establishes persistence on both Windows and Linux systems by adding itself to the Windows Startup folder and creating scheduled tasks.
Stealer and Worm Variants
The remaining three packages drop credential stealing payloads. Notably, chalk-tempalte contains a nearly unmodified clone of the Shai-Hulud worm, which was recently open sourced by the group TeamPCP. The stolen credentials are exfiltrated to a remote command and control server and also published to a new GitHub repository using a stolen GitHub token. The other two packages, @deadcode09284814/axios-util and color-style-utils, siphon sensitive data including SSH keys, environment variables, cloud credentials, system information, IP addresses, and cryptocurrency wallet data.
Source: The Hacker News
