Nearly three dozen counterfeit packages have been discovered in the npm package repository that are designed to exfiltrate sensitive data from developer systems, according to findings from Fortinet FortiGuard Labs.
One set of packages – named @expue/webpack, @expue/core, @expue/vue3-renderer, @fixedwidthtable/fixedwidthtable, and @virtualsearchtable/virtualsearchtable – harbored an obfuscated JavaScript file that’s capable of gathering valuable secrets.
This includes Kubernetes configurations, SSH keys, and system metadata such as username, IP address, and hostname.
The cybersecurity firm said it also discovered another collection of four modules, i.e., binarium-crm, career-service-client-0.1.6, hh-dep-monitoring, and orbitplate, which results in the unauthorized extraction of source code and configuration files.
Some of the packages observed have also been found leveraging a Discord webhook to exfiltrate sensitive data, while a few others are engineered to automatically download and execute a potentially malicious executable file from a URL.
In what’s a novel twist, a rogue package named @cima/prism-utils relied on an install script to disable TLS certificate validation (NODE_TLS_REJECT_UNAUTHORIZED=0), potentially rendering connections vulnerable to adversary-in-the-middle (AitM) attacks.
“End users should watch for packages that employ suspicious install scripts and exercise caution,” the researchers said.
Source: https://thehackernews.com/
