A brand new set of 48 malicious npm packages have been found within the npm repository with capabilities to deploy a reverse shell on compromised techniques.
“These packages, deceptively named to look legit, contained obfuscated JavaScript designed to provoke a reverse shell on package deal set up,” software program provide chain safety agency Phylum stated.
All of the counterfeit packages have been printed by an npm person named hktalent (GitHub, X). As of writing, 39 of the packages uploaded by the writer are nonetheless accessible for obtain.
The assault chain is triggered publish the set up of the package deal by way of an set up hook within the package deal.json that calls a JavaScript code to determine a reverse shell to rsh.51pwn[.]com.
“On this explicit case, the attacker printed dozens of benign-sounding packages with a number of layers of obfuscation and misleading techniques in an try and finally deploy a reverse shell on any machine that merely installs considered one of these packages,” Phylum stated.
The findings arrive shut on the heels of revelations that two packages printed to the Python Package deal Index (PyPI) beneath the garb of simplifying internationalization included malicious code designed to siphon delicate Telegram Desktop software knowledge and system data.
The packages, named localization-utils and locute, have been discovered to retrieve the ultimate payload from a dynamically generated Pastebin URL and exfiltrate the data to an actor-controlled Telegram channel.
The event highlights the rising curiosity of menace actors in open-source environments, which permits them to arrange impactful provide chain assaults that may goal a number of downstream prospects abruptly.
“These packages present a devoted and elaborate effort to keep away from detection by way of static evaluation and visible inspection by using quite a lot of obfuscation methods,” Phylum stated, including they “function yet one more stark reminder of the vital nature of dependency belief in our open-source ecosystems.”
