- Researchers found a malicious package on NPM, uploaded a year ago
- It was benign at first, and introduced malware later via an update
- The malware stole hundreds of thousands of secrets and installed cryptojackers on dozes of computers
For roughly a year, hackers have been infecting red teamers, penetration testers, security researchers, as well as other hackers, with a piece of malware that steals WordPress credentials and other sensitive data, and installs cryptominers on compromised endpoints.
As a result, login credentials for some 390,000 WordPress accounts were stolen, and dozens of systems were found mining Monero.
Cybersecurity researchers Datadog Security Labs spotted the attack on the NPM package repository, and in GitHub, after researchers from Checkmarx also sounded the alarm on the same campaign recently.
The package was pretending to be an XML-RPC implementation, and was first uploaded to the repository in October 2023. Until November 2024, when it was finally discovered as malicious, it received 16 updates.
Legitimate at first
Datadog noted ho the attackers were tactical in their approach, first uploading a package that was legitimate and worked as intended. The malicious code was introduced in later versions, and designed to steal SSH keys, bash history, and other data, every 12 hours. The data it collects would get extracted either via Dropbox, or File.io.
To make matters worse, researchers and security pros that would introduce XML-RPC into their own products would just expand the reach of the malware, turning it into a full-blown supply chain attack.
Datadog said that ultimately, the team found 68 compromised systems that were actively mining the Monero currency. Monero, with the XMR ticker, is most often mined with a cryptojacker called XMRig. This is a popular currency among thieves since it’s fully anonymous and very difficult to trace.
The identity of the threat actors was not discovered, but the researchers dubbed the group MUT-1224, which is short for Mysterious Unattributed Threat.
Major code repositories remain a vital platform for cybercriminals, the researchers concluded, stressing that developers should be extra careful when using open-source software.
Via BleepingComputer