Summary:
The Checkmarx Research team has uncovered a year-long supply chain attack involving the malicious NPM package @0xengine/xmlrpc, which evolved from a legitimate XML-RPC implementation to a tool for stealing sensitive data and mining cryptocurrency. This incident highlights the need for ongoing vigilance in monitoring software supply chains, as even seemingly safe packages can become compromised.
#SupplyChainSecurity #MaliciousPackages #OpenSourceRisks
The Checkmarx Research team has uncovered a year-long supply chain attack involving the malicious NPM package @0xengine/xmlrpc, which evolved from a legitimate XML-RPC implementation to a tool for stealing sensitive data and mining cryptocurrency. This incident highlights the need for ongoing vigilance in monitoring software supply chains, as even seemingly safe packages can become compromised.
#SupplyChainSecurity #MaliciousPackages #OpenSourceRisks
Keypoints:
A malicious NPM package, @0xengine/xmlrpc, has been active from October 2023 to November 2024, receiving 16 updates.
The package initially presented itself as a legitimate XML-RPC implementation but introduced malicious code in later versions.
The malware steals sensitive data and mines cryptocurrency every 12 hours, exfiltrating data via Dropbox and file.io.
Distribution occurred through direct NPM installation and as a hidden dependency in a legitimate-looking GitHub repository.
Advanced evasion techniques are employed to avoid detection and maintain persistence on infected systems.
At least 68 compromised systems were identified actively mining cryptocurrency for the attacker.
MITRE Techniques:
Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
Data Exfiltration (T1041): Exfiltrates sensitive data through Dropbox and file.io.
Credential Dumping (T1003): Gathers SSH keys and bash history from compromised systems.
Cryptojacking (T1496): Mines cryptocurrency using compromised systems.
Persistence (T1547): Establishes persistence through systemd as a disguised service.
Process Injection (T1055): Monitors for detection tools and evades mining operations accordingly.
IoC:
[url] hxxps[:]//codeberg[.]org/k0rn66/xmrdropper/raw/branch/master/xprintidle
[url] hxxps[:]//codeberg[.]org/k0rn66/xmrdropper/raw/branch/master/xmrig
[url] hxxps[:]//codeberg[.]org/k0rn66/xmrdropper/raw/branch/master/Xsession.sh
[others] Wallet Address: 45J3v3ooxT335ENFjJBB3s7WS7xGekEKiBW4Z6sRSTUa5Kbn8fbqwgC47SLUDdKsri7haj7PBi5Wvf3xLmrX9CEZ3MGEVJU
Full Research: https://checkmarx.com/blog/dozens-of-machines-infected-year-long-npm-supply-chain-attack-combines-crypto-mining-and-data-theft/