Npm Trojan Bypasses UAC, Installs AnyDesk with “Oscompatible” Package

Npm Trojan Bypasses UAC, Installs AnyDesk with “Oscompatible” Package

A malicious package uploaded to the npm registry has been found deploying a sophisticated remote access trojan on compromised Windows machines.

The package, named “oscompatible,” was published on January 9, 2024, attracting a total of 380 downloads before it was taken down.

oscompatible included a “few strange binaries,” according to software supply chain security firm Phylum, including a single executable file, a dynamic-link library (DLL) and an encrypted DAT file, alongside a JavaScript file.

Attempting to run the binary will trigger a User Account Control (UAC) prompt asking the target to execute it with administrator credentials.

In doing so, the threat actor carries out the next stage of the attack by running the DLL (“msedge.dll”) by taking advantage of a technique called DLL search order hijacking.

The trojanized version of the library is designed to decrypt the DAT file (“msedge.dat”) and launch another DLL called “msedgedat.dll,” which, in turn, establishes connections with an actor-controlled domain named “kdark1[.]com” to retrieve a ZIP archive.

The disclosure comes as cloud security firm Aqua revealed that 21.2% of the top 50,000 most downloaded npm packages are deprecated, exposing users to security risks. In other words, the deprecated packages are downloaded an estimated 2.1 billion times weekly.

This includes archived and deleted GitHub repositories associated with the packages as well as those that are maintained without a visible repository, commit history, and issue tracking.

“This situation becomes critical when maintainers, instead of addressing security flaws with patches or CVE assignments, opt to deprecate affected packages,” security researchers Ilay Goldman and Yakir Kadkoda said.