Malicious NPM Libraries Caught Installing Password Stealer and Ransomware

Cyber Security

Products You May Like

Malicious actors have yet again published two more typosquatted libraries to the official NPM repository that mimic a legitimate package from Roblox, the game company, with the goal of distributing stealing credentials, installing remote access trojans, and infecting the compromised systems with ransomware.

The bogus packages — named “noblox.js-proxy” and “noblox.js-proxies” — were found to impersonate a library called “noblox.js,” a Roblox game API wrapper available on NPM and boasts of nearly 20,000 weekly downloads, with each of the poisoned libraries, downloaded a total of 281 and 106 times respectively.

Automatic GitHub Backups

According to Sonatype researcher Juan Aguirre, who discovered the malicious NPM packages, the author of noblox.js-proxy first published a benign version that was later tampered with the obfuscated text, in reality, a Batch (.bat) script, in the post-installation JavaScript file.

This Batch script, in turn, downloads malicious executables from Discord’s Content Delivery Network (CDN) that are responsible for disabling anti-malware engines, achieving persistence on the host, siphoning browser credentials, and even deploying binaries with ransomware capabilities.

Recent research from Check Point Research and Microsoft-owned RiskIQ revealed how threat actors are increasingly abusing Discord CDN, a platform with 150 million users, to persistently deliver 27 unique malware families, ranging from backdoors and password stealers to spyware and trojans.

Although both the malicious NPM libraries have since been taken down and are no longer available, the findings are yet another indication as to how popular code registries like NPM, PyPI, and RubyGems have emerged as a lucrative frontier for carrying out a variety of attacks.

The disclosure also mirrors a recent supply-chain attack aimed at “UAParser.js,” a popular JavaScript NPM library with over 6 million weekly downloads, that resulted in the developer’s account being hijacked to corrupt the package with cryptocurrency mining and credential-stealing malware, days after three other copycat crypto-mining packages were purged from the registry.

Products You May Like

Articles You May Like

WhatsApp Reportedly Developing Feature for Web Client That Lets Users Pick Usernames
North Korean Hackers Update BeaverTail Malware to Target MacOS Users
Amazon Prime Day 2024 Sale Ends Tonight: Best Offers on Smartphones, Electronics
The Crowdstrike outage and global software’s single-point failure problem
Amazon Prime Day 2024 Sale to Bring Discounts on OnePlus 12, MacBook Air M1, iPhone 13 and More

Leave a Reply

Your email address will not be published. Required fields are marked *