Cybersecurity researchers are sounding the alarm about what has been described as “malicious activity” in newly published versions of node-ipc.
According to Socket and StepSecurity, three different versions of the npm package have been confirmed as malicious –
“Early analysis indicates that [email protected], [email protected], and [email protected] contain obfuscated stealer/backdoor behavior,” Socket said.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
“The malware appears to fingerprint the host environment, enumerate and read local files, compress and chunk collected data, wrap the payload in a cryptographic envelope, and attempt exfiltration through a network endpoint selected via DNS/address logic.”
StepSecurity said the heavily obfuscated payload is triggered when the package is required at runtime, and attempts to exfiltrate a broad set of developer and cloud secrets to an external command-and-control server.
This is not the first time the npm package has incorporated malicious functionality. In March 2022, the maintainer of the package deliberately introduced destructive capability to versions 10.1.1 and 10.1.2 by overwriting files on systems located in Russia or Belarus as a form of protest following Russia’s military invasion of Ukraine.
Two subsequent versions – 11.0.0 and 11.1.0 – included the “peacenotwar” dependency, which was also published by the same maintainer as a “non-violent protest against Russia’s aggression.”
“The latest incident appears to involve a suspicious republishing or reintroduction of malicious code into versions of a known package, rather than a typosquatting attempt,” Socket said.
(This is a developing story. Please check back for more details.)
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories