Infostealer for Windows, macOS and Linux found in ten packages on npm

Since the beginning of July, packages with well-hidden malicious code have been available in the JavaScript package manager npm. The company Socket, which specializes in software supply chain security, has found ten packages that together account for 9,900 downloads. According to the Socket blog, they were still available on npm as of October 28, but are no longer to be found there.

The packages download an infostealer suitable for the operating system, which steals credentials on Windows, macOS, and Linux. The attack is multi-layered.

Typosquatting as an opener

The attackers rely on typosquatting for the distribution of the malicious code: the npm packages have names similar to legitimate packages, including typescriptjs instead of TypeScript and dizcordjs instead of discord.js. Socket found the following packages with malicious code: typescriptjs, deezcord.js, dizcordjs, dezcord.js, etherdjs, ethesjs, ethetsjs, nodemonjs, react-router-dom.js, and zustand.js.

The installation routine, located in the "postinstall" of the configuration in package.json, opens a new terminal window depending on the operating system, in which it then starts the app.js application using Node. This way, the execution remains hidden in the main window.

Multi-layered malicious code

The app.js file obfuscates the malicious code using various methods, including URL encoding and switch statements with hexadecimal and octal calculations:

// Control flow obfuscation makes it difficult to follow execution path
var kMvc = (0x75bcd15-0O726746425);  // Evaluates to 0
while(kMvc < (0o1000247%0x10023)) {  // Loop condition with mixed bases
  switch(kMvc) {
    case (0x75bcd15-0O726746425):  // Case 0
      kMvc = condition ? (262270%0o200031) : (0o204576-67939);
      break;
    case (0o203030-67070):  // Case 1
      // Actual logic here
      break;
  }
}

The comments in the code snippet are from socket. To appear authentic, the malware finally displays a CAPTCHA as ASCII art before starting.

After entering any sequence of characters – the CAPTCHA is purely a diversion – the malicious code sends the IP address of the target system to an attacker's server and downloads a binary that matches the previously determined operating system.

Cross-platform infostealer

To achieve this, the malware switches the programming language to Python; the malicious code is found in the PyInstaller package with the name “data_extracter” which is not obscured in any way. PyInstaller packages a Python application with all dependencies into a package and executes it on the target system. PyInstaller is available for Linux, Windows, and macOS and does not require a Python installation.

data_extracter searches numerous directories and files for credentials, including Firefox and Chromium data directories, directories for SSH keys, and configuration directories such as ~/.aws/credentials. The program searches, among other things, SQLite database files and JSON configuration files for API keys and other credentials.

The application also steals cookie data from the browser and examines keyrings depending on the operating system. It also attempts to intercept authentication tokens. The collected credentials are packaged by data_extracter into a zip file, which it finally sends to an attacker's server.

Anyone who has installed one of the mentioned packages must assume that the attackers have exfiltrated data. Even though the found packages are no longer available, they were in circulation for over three months, and due to the sophisticated obfuscation techniques alone, other packages could be affected by a variant of the attack.

Further details on the affected packages, the network infrastructure, and the MITRE ATT&CK techniques used can be found in the Socket blog.

The incident is further evidence that npm remains vulnerable to supply chain attacks. Developers can, however, take some protective measures can be taken.

(rme)