Sonatype researchers are tracking an ongoing npm registry campaign where malicious packages are used to retrieve and exfiltrate Kubernetes configuration and SSH keys to an external server. At least 14 such packages have been identified, impersonating legitimate JavaScript libraries and scripts, with activity tied to a domain used by the attackers. #Sonatype #Kubernetes #SSHKeys #app.threatest.com
Keypoints
- The campaign targets the npm registry, using packages to exfiltrate Kubernetes config and SSH keys.
- Researchers identified at least 14 malicious npm packages involved in the operation.
- The packages impersonate legitimate libraries (e.g., ESLint plugins, TypeScript SDK tools) to disguise malicious activity.
- Some package versions include both obfuscated payloads and, in earlier versions, plaintext attack payloads for verification.
- The malware collects basic host information (username, IP address, hostname) and exfiltrates it along with sensitive files.
- The attackers rely on a domain (app.threatest[.]com) that resolves to Cloudflare IPs, complicating attribution.
MITRE Techniques
- [T1195] Supply Chain – The campaign uses npm packages to retrieve and exfiltrate Kubernetes config and SSH keys via the supply chain. “…uses npm packages to retrieve and exfiltrate your Kubernetes configuration and SSH keys to an external server…”
- [T1036] Masquerading – The malware impersonates legitimate libraries and components such as ESLint plugins and TypeScript SDK tools. “impersonate JavaScript libraries and components, such as ESLint plugins and TypeScript SDK tools.”
- [T1027] Obfuscated/Compressed Files and Information – The payloads include obfuscated code executed from within the package. “index.js file runs obfuscated code.”
- [T1005] Data from Local System – The attack collects and siphons sensitive files from the target machine, including Kubernetes config and SSH keys. “…collect and siphon sensitive files from the target machine.”
- [T1082] System Information Discovery – The script gathers basic fingerprinting data such as username, IP address, and hostname. “a system’s basic fingerprinting information, such as username, IP address, hostname.”
- [T1041] Exfiltration – Exfiltration of Kubernetes config, SSH keys, and other sensitive data to an external server. “exfiltrate the Kubernetes config, SSH keys, and other sensitive bits of information.”
Indicators of Compromise
- [Domain] app.threatest[.]com – Domain used by malicious packages to host/exfiltrate data and potentially control payloads
- [IP Address] 172.67.141.49, 104.21.9.30 – Cloudflare-facing IPs observed resolving the malicious domain
- [Package Name] @am-fe/hooks, @am-fe/provider, @am-fe/request, @am-fe/utils, @am-fe/watermark, @am-fe/watermark-core – Example malicious npm packages
- [Package Name] @dynamic-form-components/mui, @dynamic-form-components/shineout, @expue/app, @fixedwidthtable/fixedwidthtable, @soc-fe/use, @spgy/eslint-plugin-spgy-fe, @virtualsearchtable/virtualsearchtable, shineouts – Additional related malicious packages
- [File] index.js – Obfuscated payload file observed inside the package
Read more: https://blog.sonatype.com/npm-packages-caught-exfiltrating-kubernetes-config-ssh-keys