ReversingLabs researchers have discovered two malicious packages on the npm open source package manager that leverages GitHub to store stolen Base64-encrypted SSH keys lifted from developer systems that installed the malicious npm packages.
Multiple versions of the malicious npm packages, warbeast2000 and kodiak2k were identified in January, and have since been removed from npm. However, the campaign is just the latest example of cybercriminals and malicious actors using open source package managers and related infrastructure to support malicious software supply chain campaigns that target development organizations and end-user organizations.
Discussion: Malicious packages target developer SSH keys
In recent years, open source package managers and code repositories became ground zero for malicious campaigns. As noted in ReversingLabs’ new report, The State of Software Supply Chain Security 2024, the number of malicious packages found on open source package managers jumped 1,300% between 2020 and the end of 2023. That includes everything from low-threat protestware and automated phishing campaigns to more subtle malicious campaigns delivering malware, like the r77 rootkit, directly from open source packages.
Packages on npm grab private keys
In recent weeks, ReversingLabs researchers discovered two suspicious npm packages named warbeast2000 and kodiak2k. Here’s what the research team knows about each.
warbeast2000
On January 3, ReversingLabs researchers using the company’s Software Supply Chain Security platform identified a package, warbeast2000, which was suspicious and appeared to be malicious. The package, in itself, was not very complicated. It contained just a few components. The corresponding npm page for warbeast2000 was basic and not obviously mimicking another package.
Furthermore, at the time it was discovered, warbeast2000 was in the process of being developed. There were eight versions (1.0.0 – 1.0.8), with new elements being added to the package with each new version. Malicious functionality was only observed in the last, posted version of the package.
It appears that the package author was in the process of building out the malware and adding layers of deception. Fortunately, the package was detected and removed from npm before that could happen.
Figure 1: Postinstall script
What did warbeast2000 do? Based on our analysis of the final version of the package, once it was installed on a victim’s computer, it would launch a postinstall script that fetched and executed a javascript file. This second stage malicious script read the private ssh key stored in the id_rsa file located in the <homedir>/.ssh directory. It then uploaded the Base64 encoded key to an attacker-controlled GitHub repository. And that was it. Besides grabbing and copying the id_rsa SSH key, the package displayed no other behaviors.
The choice of the id_rsa key was a natural one, as id_rsa is the default file name given to ssh keys when running the ssh-keygen program, a standard component of the SSH package on Linux and macOS systems as well as with Git for Windows.
Figure 2: Malicious second stage from warbeast2000
As noted, the warbeast2000 package was probably still under development when it was detected, meaning that what was observed may not be the fully conceived package. It is possible, for example, that the entire contents of the .ssh folder would be sent to a GitHub repository owned by a malicious actor.
The warbeast2000 package was reported to npm administrators and removed on or around January 3.
Kodiak2k
Shortly after discovering the warbeast2000 package, on January 5, the ReversingLabs Software Supply Chain Security platform identified another npm package with very similar behavior: kodiak2k. Unlike warbeast2000, kodiak2k had more than 30 different versions and, apart from the first few, all of them were malicious.
Similar to warbeast2000, kodiak2k runs a postinstall script after the package is installed. That script downloads another javascript file and executes it. As with warbeast2000, that script reads the contents of <homedir>/.ssh directory, though the script is looking for a key named meow. It is not clear whether the developer had a specific key in mind or (more likely) used meow as a place holder name while the package was under development.
Whatever the case, when and if the meow file was located, the key contained in it would be encoded in Base64 and uploaded to a GitHub repository, as with the warbeast2000 package.
Later versions of the kodiak2k package also executed a script found in an archived GitHub project containing the Empire post-exploitation framework. The script also invokes the Mimikatz hacking tool, which is commonly used to dump credentials from process memory. There was more activity, as well, across different versions with additional functions that weren’t necessarily malicious. For example, the team observed functions for running notepad.exe, shutdown.exe and an executable that was deployed locally named cryptor.exe. The purpose of these functions wasn’t clear, though it is possible that the malicious actor responsible for creating the kodiak2k package was in the process of testing different malicious functions for future integration into kodiak2k.
The kodiak2k package was reported to npm administrators and removed on or around January 5.
Figure 3: Malicious second stage from kodiak2k
Keys to the kingdom
Malicious actors looking to obtain SSH keys from developers is an alarming development. SSH keys provide those who hold them the ability to access and contribute to GitHub repositories, including those containing proprietary (non-public) code. As attacks like those on SolarWinds and 3CX show, that level of access can have a serious and negative impact on the security of the software producer, as well as the end user organizations that deploy and use the affected software: fueling devastating software supply chain attacks.
Limited scope
Fortunately, the reach of this campaign was limited. ReversingLabs observed different accounts publishing warbeast2000 and kodiak2k on npm. The warbeast2000 package was downloaded a little less than 400 times, whereas the kodiak2k was downloaded around 950 times.
Abusing GitHub is going viral
One of the recent trends ReversingLabs and other security firms have noted is how attackers are expanding their reliance on open source software and open source development infrastructure to further malicious campaigns. That trend includes the growing use of the GitHub version control platform to host elements of malicious command and control infrastructure.
For example, two years ago, we wrote about the discovery of a malicious npm package masquerading as the Material Tailwind CSS tool that used GitHub to fetch the address of a malicious command and control (C2) server. Then, in a blog post published in August 2023, the research team at ReversingLabs wrote about LunaGraber, an open source information-stealing malware available on GitHub. There was the IAmReboot campaign that the ReversingLabs research team wrote about in October, which described the distribution of malicious NuGet downloaders as well as an obfuscated version of the SeroXen RAT hosted on a GitHub repository. Finally, in December, Karlo Zanki wrote about the discovery of PyPI packages that were using GitHub Gists for hosting two-stage malicious payloads.
These findings align with those of other security organizations. The threat intelligence firm Recorded Future, for example, recently published a report (PDF) that found GitHub was the online service that was the most abused by malicious actors. That abuse includes a range of malicious activity, from payload delivery to command-and-control (C2) and data exfiltration (as ReversingLabs has also observed). Recorded Future termed this behavior “living-off-trusted-sites” (LOTS), and said it is “expected to grow with [advanced persistent threats (APT)s’] increasing usage and less-sophisticated groups swiftly following suit.”
Apart from abusing features of platforms like GitHub, there are also concerns that malicious actors might leverage flaws and vulnerabilities in those platforms to further attacks. For example, GitHub recently disclosed a serious vulnerability in the GitHub Enterprise Server (GHES) that potentially exposed sensitive credentials. The vulnerability, CVE-2024-0200, was reported to the company as part of its bug bounty program. It does not appear to have been found or exploited previously. However, SC Magazine reported that the company said it rotates credentials any time they are exposed to a third party.
Conclusion
Fortunately, these malicious packages were detected and reported to npm administrators before they could be widely distributed. That being said, the warbeast2000 and kodiak2k packages are more evidence that legitimate platforms such as GitHub are being used to support supply chain attacks.
That is a concern. With more and more open source malware available, GitHub is increasingly being used by malicious actors to support their campaigns. Often, these open source malware packages are feature rich and come with very detailed documentation allowing even low-skilled hackers (“script kiddies”) to deploy them.
These latest npm campaigns show how malicious actors are starting to use the GitHub platform in novel ways. In addition to GitHub Gists and commit messages being used as C2 infrastructure, we now see GitHub used as a place to store stolen information.
As malicious actors continue to develop new techniques for writing malware, developers as well as security researchers need to be on guard for new threats lurking in public repositories. Before including software or a library found on package managers like npm or PyPI, developers and development organizations should conduct a security assessment of those packages to determine if they are safe to use.
Indicators of Compromise (IOCs)
Indicators of Compromise (IoCs) refer to forensic artifacts or evidence related to a security breach or unauthorized activity on a computer network or system. IOCs play a crucial role in cybersecurity investigations and cyber incident response efforts, helping analysts and cybersecurity professionals identify and detect potential security incidents.
The following IOCs were collected as part of ReversingLabs investigation of this software supply chain campaign.
package_name | version | SHA1 |
warbeast2000 | 1.0.8 | 2da32a4c9e2c3f345f46c6e06d6eb41e13da13d9 |
warbeast2000 | 1.0.7 | ad888d4e2b05bee35acf61c3cc053ecdc5e6ffaf |
warbeast2000 | 1.0.6 | 31abb6e4399138b33545ab5dfa3e12fe1ad4d16e |
warbeast2000 | 1.0.5 | d4a94f63a25891377334909cd544656b16c2b198 |
warbeast2000 | 1.0.3 | ba5c8b0b76b798dea60110a296ba842702aacfa5 |
warbeast2000 | 1.0.2 | d94e7e9f1965c248e17a6629c68f55ffa810e5d5 |
warbeast2000 | 1.0.1 | f1317027456e02fa5c6cadaf897244fc28c24e31 |
warbeast2000 | 1.0.0 | 663d74c7b76e5aae72ed45b3680fa3efbd17586d |
kodiak2k | 1.0.42 | 909927bd61f3466d777bbbff38fd844ed8f5c134 |
kodiak2k | 1.0.40 | c6693fa7d0272562dd56ce8b44c0e99dd1210e43 |
kodiak2k | 1.0.39 | e762e1456a89218661f97e3ae356c07d35c298e8 |
kodiak2k | 1.0.37 | 24e376fbbb4c76b6b3c2572efeaa68053fa35202 |
kodiak2k | 1.0.35 | 7333b0ec183d34a104fd7b9a5f5b93541d39fed3 |
kodiak2k | 1.0.34 | 8f1311588eae8e2fb4eff6dad523198d49d4a766 |
kodiak2k | 1.0.31 | 5500ca40b5537f5b6782a143e8e2e9028b92de2d |
kodiak2k | 1.0.30 | c6c77b4385978ab9cc1cab0826e75227d612b62a |
kodiak2k | 1.0.29 | 9ccc6f5756bb99c5a4eea9e6abc84b79cb3ae6bd |
kodiak2k | 1.0.28 | 8f1d36b074f2f6b7bc28718f88849a6aeb9dbbc6 |
kodiak2k | 1.0.25 | 717fa522c6ee505002bf17d3e79385544834461e |
kodiak2k | 1.0.24 | 245f07892c85807e99a3d9da49677bbd6013ff4f |
kodiak2k | 1.0.22 | 5117a318483b62cd40298358618e57350cc4158a |
kodiak2k | 1.0.21 | 7165b6329ae524392812c534f9bb7e225e305ffe |
kodiak2k | 1.0.20 | f6fda33768f859bc0b42bae40ac0c7dafa0f8d93 |
kodiak2k | 1.0.19 | e70476edc973548abba035993638c1bf3b829d54 |
kodiak2k | 1.0.18 | c1be7a6bd11236d1302fc6c0b206ec70b3b66d25 |
kodiak2k | 1.0.16 | 55f6b8f098ce173f4bfba374fc6da3cd8e0ff435 |
kodiak2k | 1.0.15 | d80e1abd7efcd1304a3b5ce1f6302d3a7edaaad9 |
kodiak2k | 1.0.14 | 13c0ff1347fe631974797aba94d17180ccc8eded |
kodiak2k | 1.0.13 | 6f819af455a3b25edc1f27c938cbaaffdbf3d910 |
kodiak2k | 1.0.12 | 401b2fcd9359215f2f70f39d7d0aa1d50ab09b43 |
kodiak2k | 1.0.11 | d0c75071fc20f03d1b6d35ce7240b03c2a79f5c7 |
kodiak2k | 1.0.10 | ed6e04e810ff085a1a208788e47cce9352ab58bf |
kodiak2k | 1.0.9 | 1d5da7f3fbea3d3915bddeb4c223ba147667a6ba |
kodiak2k | 1.0.8 | fa562e9f3374055812c463b8e36c113a2aafa61c |
kodiak2k | 1.0.7 | 3198a29d70628d1b9feaf8f7215c667383007f48 |
kodiak2k | 1.0.6 | 94836b8471a22563c91d35df6f3a1f5b8e028aa7 |
kodiak2k | 1.0.5 | 79c4359c0c21c4a6c43062a6e9e894ca0bd5617a |
kodiak2k | 1.0.4 | 562238aff7746bdc60f891670c0c8bff46cebe02 |
kodiak2k | 1.0.3 | 96b336c4fddbd1d91a9d1eacb4c36441880ac5bf |
kodiak2k | 1.0.2 | 445922433303e38e227121046d38dd3f31a1d6e0 |
kodiak2k | 1.0.1 | 30fb4cb07089d4e5773e1f20f0a0b25c34aa20ea |
kodiak2k | 1.0.0 | 9300a1ff6bc49aa3f0bfe46245a470f14fc7fac3 |
Second stage payloads:
SHA1 |
dba623bdad6bdb37359e047efcda34de4af5f518 |
9526b820a21fa70641361e061b0f99517ab1b184 |
Source: Original Post
“An interesting youtube video that may be related to the article above”