32 Red Hat npm packages backdoored in 72 seconds

MITRE Techniques

• [T1059.007] Command and Scripting Interpreter: JavaScript – The attack runs malicious JavaScript through package installation and later executes the decrypted payload with Bun (‘the package’s main entry point is completely replaced with a malicious payload’, ‘it is used directly’).
• [T1204.002] User Execution: Malicious File – The preinstall script causes execution during npm install, so the malicious code runs when developers install dependencies (‘preinstall script entry is added’, ‘during any npm install run’).
• [T1027] Obfuscated Files or Information – The payload is hidden with ROT-N, AES-128-GCM, and obfuscator.io layers (‘obfuscated preinstall malware’, ‘heavily obfuscated using the obfuscator.io toolchain’).
• [T1027.013] Obfuscated Files or Information: Encrypted/Encoded File – The malware stores encrypted blobs and decodes them at runtime using AES-128-GCM and ROT-N (‘decrypts two encrypted blobs’, ‘rotation value N differs per package’).
• [T1140] Deobfuscate/Decode Files or Information – The code reconstructs and decodes the payload from character codes and encrypted blobs before execution (‘String.fromCharCode reconstructs a string’, ‘decryption of the chrome package payload’).
• [T1056.001] Input Capture: Keylogging – Not a traditional keylogger, but it harvests credential material from environment variables, token files, and SSH data (‘AWS_ACCESS_KEY_ID’, ‘GITHUB_TOKEN’, ‘~/.ssh/’).
• [T1552.001] Unsecured Credentials: Credentials In Files – It reads credentials from files such as ~/.npmrc, SSH files, and cloud credential files (‘~/.npmrc’, ‘~/.ssh/’, ‘application default credential files’).
• [T1552.004] Unsecured Credentials: Private Keys – The malware targets SSH material and other secret-bearing files that can contain private key data (‘~/.ssh/’).
• [T1528] Steal Application Access Token – It targets GitHub tokens and workflow-related secrets from development environments (‘GITHUB_TOKEN’, ‘GITHUB_WORKFLOW_REF’).
• [T1105] Ingress Tool Transfer – The malware downloads the Bun runtime from GitHub before executing the main payload (‘downloads the bun runtime (v1.3.13) from github.com/oven-sh/bun/releases’).
• [T1071.001] Application Layer Protocol: Web Protocols – Stolen data is exfiltrated via the GitHub API and HTTP connections (‘exfiltrated via the GitHub API’, ‘Connects through HTTP’).
• [T1057] Process Discovery – It checks for GitHub Actions context by inspecting environment variables to determine where it is running (‘checks GITHUB_REPOSITORY and GITHUB_WORKFLOW_REF’).
• [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – The preinstall script creates automatic execution during installation, acting as an execution persistence mechanism within the build process (‘preinstall script’).
• [T1218.011] System Binary Proxy Execution: Rundll32 – Not applicable; no evidence in the article.
• [T1203] Exploitation for Client Execution – Not mentioned; the attack relies on package installation rather than exploitation.
• [T1106] Native API – The payload uses Node.js crypto APIs to decrypt and run encrypted content (‘createDecipheriv(“aes-128-gcm”)’).
• [T1036] Masquerading – The attack blends into legitimate package and runtime behavior by using a real Bun release from an official GitHub repository (‘legitimate binary from a legitimate source’).