Threat Research

NPM targeted by malware campaign mimicking familiar library names

SocketDev
NPM targeted by malware campaign mimicking familiar library names
EXTRACT IOC
Developers are increasingly falling prey to malicious NPM packages that mimic popular libraries, exploiting cross-ecosystem typosquatting tactics. These packages contain obfuscated code designed to execute malicious actions, exfiltrate data, and persist on infected systems.
Affected: NPM ecosystem, developers, Python, Java, C++, .NET, Node.js

Keypoints :

  • Coordinated malware operation discovered in the NPM ecosystem.
  • Malicious packages mimic popular libraries from other programming languages.
  • Obfuscated code is used to evade security measures.
  • Exfiltration of sensitive data and maintaining persistence on systems.
  • Common IP address traced to a cloud provider in Beijing.
  • Cross-ecosystem typosquatting is the main strategy used.
  • Developer awareness and trust in package names is being exploited.

MITRE Techniques :

  • T1071.001: Application Layer Protocol – Fetching malicious code via HTTPS.
  • T1059.001: PowerShell – Executing commands through script downloads.
  • T1105: Ingress Tool Transfer – Transferring tools from remote locations.
  • T1005: Data from Local System – Collecting system data and credentials.
  • T1083: File and Directory Discovery – Scanning system directories for sensitive files.
  • T1033: System Owner/User Discovery – Targeting specific user/system environments.
  • T1070.001: File Deletion – Removing traces of the attack.
  • T1027: Obfuscation – Hiding malicious code to avoid detection.
  • T1029: Scheduled Task/Job – Maintaining persistence with scheduled tasks.
  • T1070.004: Permissions Modification – Modifying file permissions to maintain control.
  • T1041: Exfiltration Over C2 – Exfiltrating data over command and control channels.
  • T1030: Data Transfer Size Limits – Evading detection by exfiltrating small chunks.
  • T1055: Process Injection – Injecting malicious code into legitimate processes.
  • T1082: System Information Discovery – Gathering system info and credentials.

Indicator of Compromise :

  • [IP Address] 8.152.163.60

Full Story: https://socket.dev/blog/npm-targeted-by-malware-campaign-mimicking-familiar-library-names

Views: 35

Tags: CLOUD, PROXY, EXPLOIT, TROJAN, PERSISTENCE, LATERAL MOVEMENT, TOOL, DISCOVERY