Summary:
In a recent targeted campaign, a threat actor known as “topnotchdeveloper12” has published three malicious npm packages that impersonate popular cryptographic libraries. These packages contain spyware-infostealer malware aimed at crypto-asset developers, compromising their sensitive information. The ongoing risks in software supply chains are highlighted, particularly in the context of third-party libraries. The malicious packages remain live on the npm registry, posing a significant threat to developers and organizations alike.
#SupplyChainSecurity #MaliciousPackages #CryptoThreats
In a recent targeted campaign, a threat actor known as “topnotchdeveloper12” has published three malicious npm packages that impersonate popular cryptographic libraries. These packages contain spyware-infostealer malware aimed at crypto-asset developers, compromising their sensitive information. The ongoing risks in software supply chains are highlighted, particularly in the context of third-party libraries. The malicious packages remain live on the npm registry, posing a significant threat to developers and organizations alike.
#SupplyChainSecurity #MaliciousPackages #CryptoThreats
Keypoints:
Threat actor “topnotchdeveloper12” published three malicious npm packages: crypto-keccak, crypto-jsonwebtoken, and crypto-bignumber.
The packages contain spyware-infostealer malware disguised as legitimate libraries.
Malware targets crypto-asset developers to steal credentials and sensitive information.
Malicious executables, Microsoft Store.exe and bigNumber.exe, exfiltrate data via HTTP POST requests to C2 servers.
Malware employs credential harvesting, keylogging, and clipboard monitoring techniques.
Threat actor’s code modifies Windows registry for persistence upon system boot.
Malicious packages have been downloaded over 1,000 times and are still available on npm.
Socket offers tools to detect and prevent such supply chain threats in real time.
MITRE Techniques:
Supply Chain Compromise (T1195.002): Compromise Software Supply Chain.
Masquerading (T1036.005): Match Legitimate Name or Location.
Command and Scripting Interpreter (T1059.007): JavaScript.
Acquire Infrastructure (T1583.006): Web Services.
Data from Local System (T1005): Exfiltration of data from local systems.
Browser Information Discovery (T1217): Gathering information from web browsers.
Credentials from Password Stores (T1555.003): Credentials from Web Browsers.
Steal Web Session Cookie (T1539): Theft of web session cookies.
Input Capture (T1056.001): Keylogging.
Clipboard Data (T1115): Capturing clipboard data.
Exfiltration Over C2 Channel (T1041): Data exfiltration via command and control channels.
Application Layer Protocol (T1071.001): Utilizing web protocols for communication.
Boot or Logon Autostart Execution (T1547.001): Modifying registry Run keys for persistence.
IoC:
[Malicious Package] crypto-keccak
[Malicious Package] crypto-jsonwebtoken
[Malicious Package] crypto-bignumber
[C2 Infrastructure] 209.151.151[.]172
[C2 Infrastructure] 209.151.151[.]172/media/itemmedia
[C2 Infrastructure] 209.151.151[.]172/media/itemmediacurl
[C2 Infrastructure] 209.151.151[.]172/timetrack/add
[C2 Infrastructure] 69.164.209[.]197
[Malware Sample] Microsoft Store.exe (SHA256: d29370fa6fbf4f5a02c262f0be43bb083cfb61f46c75405d297493420ddf1508)
[Malware Sample] bigNumber.exe (SHA256: 5a733c20d5b00006428ca3c4f82505bebc2d2300c709f490d3dea4fab497effb)
Full Research: https://socket.dev/blog/malicious-npm-packages-threaten-crypto-developers