Summary:
The Checkmarx Research team has uncovered a year-long supply chain attack involving the malicious NPM package @0xengine/xmlrpc, which evolved from a legitimate XML-RPC implementation to a tool for stealing sensitive data and mining cryptocurrency. This incident highlights the need for ongoing vigilance in monitoring software supply chains, as even seemingly safe packages can become compromised.
#SupplyChainSecurity #MaliciousPackages #OpenSourceRisks
The Checkmarx Research team has uncovered a year-long supply chain attack involving the malicious NPM package @0xengine/xmlrpc, which evolved from a legitimate XML-RPC implementation to a tool for stealing sensitive data and mining cryptocurrency. This incident highlights the need for ongoing vigilance in monitoring software supply chains, as even seemingly safe packages can become compromised.
#SupplyChainSecurity #MaliciousPackages #OpenSourceRisks
Keypoints:
A malicious NPM package, @0xengine/xmlrpc, has been active from October 2023 to November 2024, receiving 16 updates.
The package transitioned from a legitimate XML-RPC implementation to a malicious tool by introducing obfuscated code in later versions.
It steals sensitive data and mines cryptocurrency every 12 hours, exfiltrating data through Dropbox and file.io.
Distribution occurred via direct NPM installation and as a dependency in a legitimate GitHub repository.
The malware employs evasion techniques to avoid detection and has been found on up to 68 compromised systems.
MITRE Techniques
Data Encrypted for Impact (T1486): The malware encrypts sensitive data to exfiltrate it without detection.
Command and Control (T1071): Utilizes Dropbox and file.io for data exfiltration.
Credential Dumping (T1003): Gathers SSH keys and bash history for sensitive information.
Cryptojacking (T1496): Mines cryptocurrency using compromised systems.
Persistence (T1547): Establishes a systemd service to maintain presence on infected systems.
Exploitation of Software Dependencies (T1190): The package exploits trust in dependencies to spread.
IoC:
[url] hxxps[:]//codeberg[.]org/k0rn66/xmrdropper/raw/branch/master/xprintidle
[url] hxxps[:]//codeberg[.]org/k0rn66/xmrdropper/raw/branch/master/xmrig
[url] hxxps[:]//codeberg[.]org/k0rn66/xmrdropper/raw/branch/master/Xsession.sh
[wallet address] 45J3v3ooxT335ENFjJBB3s7WS7xGekEKiBW4Z6sRSTUa5Kbn8fbqwgC47SLUDdKsri7haj7PBi5Wvf3xLmrX9CEZ3MGEVJU
Full Research: https://checkmarx.com/blog/npm-supply-chain-attack-combines-crypto-mining-and-data-theft/