@securebulletin.com
//
A concerning trend of hackers exploiting open-source software supply chains has been identified, with malicious backdoors being planted in Python and NPM packages. Security researchers at Checkmarx Zero have uncovered a sophisticated campaign where attackers are using typosquatting and name-confusion tactics to trick users into downloading harmful software. This cross-ecosystem approach targets both Windows and Linux systems, deploying multi-platform payloads with the capability to steal data and establish remote control. These findings highlight the growing need for enhanced security measures within open-source ecosystems to combat supply chain attacks.
This campaign leverages the Python Package Index (PyPI) and Node Package Manager (NPM) by mimicking legitimate software. Specifically, the attack targeted users of "colorama," a popular Python tool, and "colorizr," a similar JavaScript package, by uploading packages with names like "coloramapkgs" and "colorizator". The malicious packages carry dangerous payloads designed to give attackers remote access and control, allowing them to harvest and exfiltrate sensitive data. On Windows systems, the malware attempts to bypass antivirus software, while on Linux, it establishes encrypted connections, steals information, and maintains a hidden presence. Fortunately, the identified malicious packages have been removed from public software repositories, limiting their immediate potential for damage. However, the lack of clear attribution data makes it difficult to trace the campaign back to a known adversary. Vet, an open-source tool designed to help developers and security engineers spot risks in their software supply chains, goes beyond traditional software composition analysis by detecting known vulnerabilities and flagging malicious packages. It supports ecosystems like npm, PyPI, Maven, Go, Docker, and GitHub Actions, assisting in the detection of supply chain attacks. Recommended read:
References :
TIGR Threat@Security Risk Advisors
//
A supply chain attack has successfully compromised the 'rand-user-agent' npm package, injecting obfuscated code designed to activate a remote access trojan (RAT) on unsuspecting users' systems. This JavaScript library, used for generating randomized user-agent strings beneficial for web scraping and automated testing, has been averaging 45,000 weekly downloads despite being deprecated. The malicious activity was detected by an automated malware analysis pipeline on May 5, 2025, which flagged the [email protected] version for containing unusual code indicative of a supply chain attack.
The injected RAT was designed to establish a persistent connection with a command and control (C2) server at http://85.239.62[.]36:3306. Upon activation, the RAT transmits critical machine identification data, including hostname, username, operating system type, and a generated UUID, enabling attackers to uniquely identify and manage compromised systems. Once connected, the RAT listens for commands from the C2 server, allowing attackers to manipulate the file system, execute arbitrary shell commands, and exfiltrate data from affected systems. Researchers at Aikido noted that threat actors exploited the package's semi-abandoned but still popular status to inject malicious code into unauthorized releases. The compromised versions of the package were promptly removed from the npm repository. Users are advised to check their systems for any installations of the compromised package and implement robust security practices to mitigate the risk of similar supply chain attacks. This incident underscores the critical importance of vigilant monitoring and dependency management in software development to protect against supply chain vulnerabilities. Recommended read:
References :
@Talkback Resources
//
Cybersecurity researchers have recently discovered a series of malicious packages lurking within the npm registry, a popular repository for JavaScript packages. These packages are designed to mimic the legitimate "node-telegram-bot-api," a widely-used library for creating Telegram bots. However, instead of providing bot functionalities, these rogue packages install SSH backdoors on Linux systems, granting attackers persistent, passwordless remote access. The identified malicious packages include "node-telegram-utils," "node-telegram-bots-api," and "node-telegram-util," which have accumulated around 300 downloads collectively.
The packages employ a technique known as "typosquatting," where they use names similar to the legitimate library to deceive developers into installing them. They also utilize "starjacking" by linking to the genuine library's GitHub repository, further enhancing their appearance of authenticity. Once installed on a Linux system, these malicious packages inject SSH keys into the "~/.ssh/authorized_keys" file, enabling attackers to remotely access the compromised machine. They also collect system information, including the username and external IP address, and transmit it to a remote server controlled by the attackers. Security experts warn that simply removing the malicious packages is insufficient to eliminate the threat. The injected SSH keys provide a persistent backdoor, allowing attackers to execute code and exfiltrate data even after the packages are uninstalled. This incident highlights the growing threat of supply chain attacks targeting development ecosystems like npm, underscoring the importance of rigorous dependency auditing and vigilant monitoring to safeguard systems from malicious code and unauthorized access. The researchers at Socket recommend immediate defensive actions to combat these types of threats. Recommended read:
References :
lucija.valentic@reversinglabs.com (Lucija@Blog (Main)
//
ReversingLabs has identified a malicious npm package named "pdf-to-office" that targeted cryptocurrency users by injecting malicious code into locally installed Atomic Wallet and Exodus software. The package, posing as a utility for converting PDF files to Microsoft Office documents, actually overwrites existing, legitimate files within the crypto wallet installations. This allowed attackers to silently hijack crypto transfers by swapping out the intended destination address with one belonging to the malicious actor. The ReversingLabs team continues to track threat actors using a variety of techniques to hijack popular crypto packages.
This attack vector involved the malicious patching of local software, a technique that allows attackers to intercept cryptocurrency transfers without raising immediate suspicion. The "pdf-to-office" package targeted specific versions of both Atomic Wallet (2.91.5 and 2.90.6) and Exodus (25.13.3 and 25.9.2), ensuring that the correct Javascript files were overwritten. Once executed, the malicious code would check for the presence of the "atomic/resources/app.asar" archive for Atomic Wallet and "src/app/ui/index.js" for Exodus. The compromised wallets would then channel crypto funds to the attacker's address, even if the "pdf-to-office" package was subsequently removed from the system. ReversingLabs' Spectra Assure platform flagged the package as suspicious due to its behaviors mirroring previous npm-based malware campaigns. The initial release was on March 24, 2025, before being removed. The latest version, 1.1.2, was uploaded on April 8 and remains available for download. Recommended read:
References :
Ddos@Daily CyberSecurity
//
North Korean Lazarus APT group has expanded its malicious activities within the npm ecosystem, deploying eleven new packages designed to deliver the BeaverTail malware and a new remote access trojan (RAT) loader. These malicious packages have been downloaded over 5,600 times before their removal, posing a significant risk to developer systems. The threat actors are utilizing previously identified aliases, as well as newly created accounts, to distribute these packages.
The campaign, dubbed "Contagious Interview," aims to compromise developer systems, steal sensitive credentials or financial assets, and maintain access to compromised environments. To evade detection, the attackers are employing hexadecimal string encoding and other obfuscation techniques. Some of the packages, such as "events-utils" and "icloud-cod," are linked to Bitbucket repositories, while others use command-and-control (C2) addresses previously associated with Lazarus Group campaigns, indicating the scale and coordination of this operation. Cybersecurity researchers are urging developers to be vigilant and carefully review all dependencies before installing them. The North Korean threat actors continue to create new npm accounts and deploy malicious code across platforms like the npm registry, GitHub, and Bitbucket, demonstrating their persistence and showing no signs of slowing down. This campaign highlights the increasing sophistication of supply chain attacks and the need for robust security measures to protect against such threats. Recommended read:
References :
lucija.valentic@reversinglabs.com (Lucija@Blog (Main)
//
A new malware campaign has been discovered targeting developers through malicious npm packages. Researchers at ReversingLabs identified two packages, ethers-provider2 and ethers-providerz, designed to inject reverse shells into locally installed instances of the popular 'ethers' library. This allows attackers to gain remote access to compromised systems. The attack cleverly hides its malicious payload, modifying legitimate files to ensure persistence even after the initial packages are removed.
This campaign showcases a sophisticated approach to software supply chain attacks. The malicious packages act as downloaders, patching the 'ethers' library with a reverse shell. Once 'ethers' is reinstalled, the modifications are reintroduced, granting attackers continued access. ReversingLabs detected the threat using their Spectra platform and have developed a YARA rule to identify compromised systems. While ethers-providerz has been removed, ethers-provider2 remains available, posing a substantial risk, especially if such tactics are deployed against more popular npm packages in the future. Recommended read:
References :
|