Summary:
In a recent targeted campaign, a threat actor known as “topnotchdeveloper12” has published three malicious npm packages that impersonate popular cryptographic libraries. These packages contain spyware-infostealer malware aimed at crypto-asset developers, compromising their sensitive information. The ongoing risks in software supply chains are highlighted, particularly in the context of third-party libraries. The malicious packages remain live on the npm registry, posing a significant threat to developers and organizations alike.
#SupplyChainSecurity #MaliciousPackages #CryptoThreats
In a recent targeted campaign, a threat actor known as “topnotchdeveloper12” has published three malicious npm packages that impersonate popular cryptographic libraries. These packages contain spyware-infostealer malware aimed at crypto-asset developers, compromising their sensitive information. The ongoing risks in software supply chains are highlighted, particularly in the context of third-party libraries. The malicious packages remain live on the npm registry, posing a significant threat to developers and organizations alike.
#SupplyChainSecurity #MaliciousPackages #CryptoThreats
Keypoints:
- Threat actor “topnotchdeveloper12” published three malicious npm packages: crypto-keccak, crypto-jsonwebtoken, and crypto-bignumber.
- The packages contain spyware-infostealer malware disguised as legitimate libraries.
- Malware targets crypto-asset developers to steal credentials and sensitive information.
- Malicious executables, Microsoft Store.exe and bigNumber.exe, exfiltrate data via HTTP POST requests to C2 servers.
- Malware employs credential harvesting, keylogging, and clipboard monitoring techniques.
- Threat actor’s code modifies Windows registry for persistence upon system boot.
- Malicious packages have been downloaded over 1,000 times and are still available on npm.
- Socket offers tools to detect and prevent such supply chain threats in real time.
MITRE Techniques:
- Supply Chain Compromise (T1195.002): Compromise Software Supply Chain.
- Masquerading (T1036.005): Match Legitimate Name or Location.
- Command and Scripting Interpreter (T1059.007): JavaScript.
- Acquire Infrastructure (T1583.006): Web Services.
- Data from Local System (T1005): Exfiltration of data from local systems.
- Browser Information Discovery (T1217): Gathering information from web browsers.
- Credentials from Password Stores (T1555.003): Credentials from Web Browsers.
- Steal Web Session Cookie (T1539): Theft of web session cookies.
- Input Capture (T1056.001): Keylogging.
- Clipboard Data (T1115): Capturing clipboard data.
- Exfiltration Over C2 Channel (T1041): Data exfiltration via command and control channels.
- Application Layer Protocol (T1071.001): Utilizing web protocols for communication.
- Boot or Logon Autostart Execution (T1547.001): Modifying registry Run keys for persistence.
IoC:
- [Malicious Package] crypto-keccak
- [Malicious Package] crypto-jsonwebtoken
- [Malicious Package] crypto-bignumber
- [C2 Infrastructure] 209.151.151[.]172
- [C2 Infrastructure] 209.151.151[.]172/media/itemmedia
- [C2 Infrastructure] 209.151.151[.]172/media/itemmediacurl
- [C2 Infrastructure] 209.151.151[.]172/timetrack/add
- [C2 Infrastructure] 69.164.209[.]197
- [Malware Sample] Microsoft Store.exe (SHA256: d29370fa6fbf4f5a02c262f0be43bb083cfb61f46c75405d297493420ddf1508)
- [Malware Sample] bigNumber.exe (SHA256: 5a733c20d5b00006428ca3c4f82505bebc2d2300c709f490d3dea4fab497effb)
Full Research: https://socket.dev/blog/malicious-npm-packages-threaten-crypto-developers