Checkmarx warns of unknown threat actor targeting developers through NPM packages

UPDATED 07:00 EDT / AUGUST 30 2023

by Duncan Riley

Researchers at application security testing firm Checkmarx Ltd. today detailed a previously unknown threat actor leveraging NPM packages to target developers to steal source code and secrets.

The threat actor, believed to have been active since 2021 but undetected until now, has been publishing malicious NPM packages. The malicious packages were designed with the purpose of exfiltrating sensitive data such as source code and configuration files from the machines of victims.

Each of the malicious packages used by the threat actor was designed to execute automatically upon installation. Each NPM package contained three files — package.json, preinstall.js, and index.js — that were used as part of the attack process.

Upon installing the malicious package, a post-install hook defined in the package.json file triggers the preinstall.js script, with the script then using a method called “spawn:” to initiate another file named index.js.

When index.js runs as a separate process, it continues to operate independently even after the main installation process is complete. The index.js script collects the current operating system username and working directory and then sends this information in an HTTP GET request to a predefined server.

The malicious code then looks through directories on the now infected machine and targets specific directories such as .env, .gitlab and .github and files with extensions such as .asp, .js and .php. The code subsequently compresses the discovered directories, avoids unreadable directories or existing .zip files and then attempts to upload the archives to a predefined FTP server.

According to the metadata analyzed in the malicious NPMs files, the author goes by the name of “lexi2.” A search for other references to lexi2 also found additional malicious packages dating back to 2021.

“Reactive countermeasures of deleting the most recent batch of malicious packages offer only temporary relief and don’t get to the root of the problem,” the researchers concluded. “Protection against these unrelenting threats requires a more sophisticated strategy.”

The researchers also noted that sharing metadata and tracking attackers is essential to a broader security approach that goes beyond short-term fixes and delves into the ongoing monitoring and analysis of attacker behavior and patterns.

THANK YOU

Checkmarx warns of unknown threat actor targeting developers through NPM packages

Meta removes thousands of accounts linked to Chinese government propaganda campaign

Out with the old, in with the new: AI shapes the narrative for Google Cloud Next

Mandiant warns hackers are still targeting Barracuda Email Security Gateway devices

Box's stock falls as it reports narrow earnings beat and weak guidance

Multinational task force takes down prolific Qakbot malware and botnet operation

Checkmarx warns of unknown threat actor targeting developers through NPM packages

SECURITY - BY DUNCAN RILEY . 1 MIN AGO

Meta removes thousands of accounts linked to Chinese government propaganda campaign

POLICY - BY JAMES FARRELL . 9 HOURS AGO

Out with the old, in with the new: AI shapes the narrative for Google Cloud Next

CLOUD - BY MARK ALBERTSON . 9 HOURS AGO

Mandiant warns hackers are still targeting Barracuda Email Security Gateway devices

SECURITY - BY DUNCAN RILEY . 10 HOURS AGO

Box's stock falls as it reports narrow earnings beat and weak guidance

CLOUD - BY MIKE WHEATLEY . 10 HOURS AGO

Multinational task force takes down prolific Qakbot malware and botnet operation

SECURITY - BY DUNCAN RILEY . 11 HOURS AGO