The npm Threat Landscape: Attack Surface and Mitigations

MITRE Techniques

• [T1195 ] Supply Chain Compromise – Used to weaponize the npm registry and other distribution channels to distribute malware and backdoor legitimate packages (‘the npm registry could be used as a force multiplier for malware distribution’).
• [T1078 ] Valid Accounts – Stole and reused npm tokens and GitHub Personal Access Tokens to publish backdoored packages and manipulate repositories (‘theft of npm tokens and GitHub Personal Access Tokens (PATs)’).
• [T1555 ] Credentials from Password Stores – Read local credential files and config stores across OSes to harvest secrets (‘Reads sensitive files from the developer’s workstation, with per-OS path lists’).
• [T1005 ] Data from Local System – Collected and read files from disk for inclusion in exfiltration payloads (‘All others are read in full and included in the exfiltration payload’).
• [T1105 ] Ingress Tool Transfer – Downloaded the Bun JavaScript runtime during install to execute payload code (‘Downloads the Bun JavaScript runtime (v1.3.13) from the official github[.]com/oven-sh/bun releases’).
• [T1027 ] Obfuscated Files or Information – Employed multiple obfuscation layers (string table rotation, seeded ASCII shuffle, gzip+Base64 blobs, mangled identifiers) to hinder analysis (‘The code employs multiple layers of obfuscation’).
• [T1041 ] Exfiltration Over C2 Channel – Sent harvested credentials to a remote C2 via encrypted HTTPS POSTs (‘sent via POST hxxps[:]//audit.checkmarx[.]cx:443/v1/telemetry’).
• [T1567 ] Exfiltration Over Web Service – Used stolen GitHub tokens to create public repositories and commit encrypted results for resilient exfiltration (‘Creates a new public repository under the victim’s account … Commits encrypted result files to a results/ directory’).
• [T1098 ] Account Manipulation – Created repositories, branches, workflow files, and published packages using compromised accounts to expand access and persistence (‘Creates a new branch, commits .github/workflows/format-check.yml — a malicious workflow … Writes a .npmrc with the stolen token’s auth line … and runs bun publish’).
• [T1505 ] Server Software Component – Embedded malicious components into developer tooling and CI/CD channels (GitHub Actions, Docker Hub images, VS Code extensions) to attain long-term distribution and pipeline persistence (’embedding themselves into continuous integration/continuous delivery (CI/CD) pipelines to attain long-term, undetectable access’).