Threat Research

npm packages spread ‘Bladeroid’ crypto-stealer, hijack your Instagram

Securonix

Sonatype found several npm packages that install a Windows info-stealer/crypto-stealer named Bladeroid, designed to harvest browser data, wallet information, and social-media sessions. The packages were published on npm and deploy encrypted payloads that exfiltrate data via a WebHook and target wallet extensions. #Bladeroid #sniperv1 #sniperv2 #snipersee #sniperser #deuplouded #bladeroidxyz #bladeroidcom

Keypoints

  • Five malicious npm packages (sniperv1, sniperv2, snipersee, sniperser, deuplouded) were published on Feb 28, 2024 and carry a Windows info-stealer/crypto-stealer named Bladeroid.
  • The packages automatically launch an index.js payload via a postinstall script, triggering the malware on installation.
  • The malware peeks into browser cookies, local storage, and auto-fill form data, exfiltrating sensitive browser data.
  • It attempts to hijack sessions for Instagram, Reddit, Spotify, TikTok, and other services by stealing web sessions.
  • Crypto-wallet data is targeted, including extensions like MetaMask, Exodus, Coinbase, and BinanceChain, with the malware looking for related extensions.
  • Data is exfiltrated via a WebHook, and the code is designed to collect as much sensitive information as possible before sending it to the attacker.
  • Origins point to Turkish-language content and a bladeoid.xyz domain used for the webhook, with registration tied to a Turkish provider (Turkticaret); about 200 downloads were observed before removal.

MITRE Techniques

  • [T1059.007] JavaScript – The malicious packages execute a JavaScript payload by launching an index.js file via a postinstall script. ‘As soon as these are packages installed, they automatically launch an index.js file via a postinstall script.’
  • [T1027] Obfuscated/Encrypted Files or Information – The payload is encrypted; the decryption key is included within the code, indicating an obfuscated payload. ‘the decrypted version of the payload… is a little over 2,300 lines.’
  • [T1195] Software Supply Chain – Open-source npm packages were published and spread, illustrating a supply-chain compromise vector. ‘These packages were all published on February 28, 2024 on the npm registry…’
  • [T1555.003] Credentials in Web Browsers – The stealer reads browser cookies, local storage, and auto-fill form data; and searches for wallet-related extensions. ‘The info-stealer can be seen peeking into a user’s browser cookies and local storage data and attempts to steal saved (auto-fill) form data.’ ‘looks if any browser extensions installed on your system are related to popular crypto wallets like Metamask, BinanceChain, Coinbase, Exodus…’
  • [T1539] Steal Web Session Cookie – The malware attempts to hijack logged-in sessions for platforms like Instagram, Reddit, TikTok, and Spotify. ‘hijack your existing sessions for services like Instagram, Reddit, TikTok, and Spotify sessions.’
  • [T1567.002] Exfiltration to Web Services – Data is exfiltrated via a WebHook, representing exfiltration to web services. ‘The code appears to be focused on extensively collecting as much sensitive information on the user as it can, and exfiltrating it to the attacker via a WebHook.’

Indicators of Compromise

  • [Domain] Webhook domains – bladeroid.xyz, bladeroid.com
  • [Package] Malicious npm packages – sniperv1, sniperv2, snipersee, sniperser, deuplouded
  • [File] Payload-related files mentioned – sa.js (referenced), gayy.js (actual decrypted payload)
  • [URL] Tracking identifier – sonatype-2024-0529
  • [Domain] Registration details hint – bladeroid.xyz and bladeroid.com registered via Turkticaret (Turkish provider)

Read more: https://blog.sonatype.com/npm-packages-caught-spreading-bladeroid-info-stealer