"Analysis by researchers at Socket's Threat Research Team shows the malware distributed as part of the campaign uses four layers of obfuscation to hide payloads, displays a fake CAPTCHA to appear legitimate, and fingerprints victims by IP address. It downloads a 24MB PyInstaller-packaged information stealer that harvests credentials from system keyrings, browsers, and authentication services across Windows, Linux, and macOS. "This malware demonstrates multiple advanced techniques rarely seen together in npm supply chain attacks," said the researchers."
"Once installed, the malware serves a fake CAPTCHA prompt. It detects the victim's operating system and launches the obfuscated payload in a new terminal window, meaning the malware runs independently of the npm install process. "Developers who glance at their terminal during installation see a new window briefly appear, which the malware immediately clears to avoid suspicion," the researchers said."
Ten malicious npm packages delivered an information-stealing malware targeting Windows, Linux, and macOS. The campaign used typosquatted package names to mimic popular libraries such as typescriptjs, deezcord.js, dezcord.js, etherdjs, ethesjs, ethetsjs, nodemonjs, react-router-dom.js, and zustand.js. The packages employed four layers of obfuscation, served a fake CAPTCHA, and fingerprinted victims by IP. Installation triggers a new terminal window that launches an obfuscated payload independently of npm, briefly clearing the window to avoid suspicion. The payload downloads a 24MB PyInstaller-packaged stealer that harvests credentials from system keyrings, browsers, and authentication services. The packages were published on July 4 and remained live for over four months with more than 9,900 downloads.
Read at IT Pro
Unable to calculate read time
Collection
[
|
...
]