Wednesday, January 24, 2024

Two Malicious NPM Packages Expose The Developer Keys via Github

Two malicious npm packages, warbeast2000 and kodiak2k, discovered on the npm package registry have been identified for leveraging GitHub to store Base64-encrypted SSH keys stolen from the developer systems on which they were installed. Published at the beginning of the month, these packages gained 412 and 1,281 downloads respectively before being removed by npm maintainers. The most recent downloads were observed on January 21, 2024.

Security firm ReversingLabs, specializing in software supply chain security, made the discovery and reported that there were eight different versions of warbeast2000 and over 30 versions of kodiak2k.

Upon installation, both modules execute a postinstall script, with each capable of retrieving and executing a different JavaScript file. Warbeast2000 attempts to access the private SSH key, while kodiak2k searches for a key named "meow," suggesting the use of a placeholder name during the early stages of development.

In the case of warbeast2000, a second-stage malicious script reads the private SSH key stored in the id_rsa file in the <homedir>/.ssh directory and uploads the Base64-encoded key to an attacker-controlled GitHub repository.

Subsequent versions of kodiak2k were found to execute a script from an archived GitHub project hosting the Empire post-exploitation framework. This script can launch the Mimikatz hacking tool to dump credentials from process memory.

Security researcher Lucija Valentić noted that this campaign is another instance of cybercriminals and malicious actors exploiting open-source package managers and related infrastructure for malicious software supply chain campaigns, targeting both development and end-user organizations.


Post a Comment