A brand new set of 48 malicious npm packages have been found within the npm repository with capabilities to deploy a reverse shell on compromised programs.
“These packages, deceptively named to look legit, contained obfuscated JavaScript designed to provoke a reverse shell on package deal set up,” software program provide chain safety agency Phylum stated.
All of the counterfeit packages have been revealed by an npm consumer named hktalent (GitHub, X). As of writing, 39 of the packages uploaded by the creator are nonetheless accessible for obtain.
The assault chain is triggered publish the set up of the package deal by way of an set up hook within the package deal.json that calls a JavaScript code to ascertain a reverse shell to rsh.51pwn[.]com.
“On this explicit case, the attacker revealed dozens of benign-sounding packages with a number of layers of obfuscation and misleading ways in an try to finally deploy a reverse shell on any machine that merely installs one among these packages,” Phylum stated.
The findings arrive shut on the heels of revelations that two packages revealed to the Python Bundle Index (PyPI) below the garb of simplifying internationalization integrated malicious code designed to siphon delicate Telegram Desktop utility knowledge and system info.
The packages, named localization-utils and locute, have been discovered to retrieve the ultimate payload from a dynamically generated Pastebin URL and exfiltrate the knowledge to an actor-controlled Telegram channel.
The event highlights the growing curiosity of menace actors in open-source environments, which permits them to arrange impactful provide chain assaults that may goal a number of downstream clients .
“These packages present a devoted and elaborate effort to keep away from detection by way of static evaluation and visible inspection by using a wide range of obfuscation strategies,” Phylum stated, including they “function yet one more stark reminder of the essential nature of dependency belief in our open-source ecosystems.”
