الدورات

title

XMLRPC npm Library Turns Malicious: Data Theft and Crypto Mining Unveiled

XMLRPC npm Library Turns Malicious: Data Theft and Crypto Mining Unveiled

Cybersecurity experts have uncovered a year-long software supply chain attack targeting the npm package registry. A seemingly benign JavaScript library, @0xengine/xmlrpc, has turned malicious, stealing sensitive data and deploying cryptocurrency miners on infected systems.

The Timeline and Impact

Initially released on October 2, 2023, as an XML-RPC server and client for Node.js, the library has amassed 1,790 downloads. However, researchers at Checkmarx revealed that on October 3, 2023, version 1.3.4 introduced harmful code. The malware extracts SSH keys, bash history, system metadata, and environment variables every 12 hours, exfiltrating them via Dropbox and file.io.

Distribution Methods

The attack exploited multiple vectors:

  1. Direct Installation: Developers unknowingly installed the package via npm.
  2. Hidden Dependency: A GitHub repository named yawpp (Yet Another WordPress Poster) lists @0xengine/xmlrpc as a dependency, triggering its download during setup.

Crypto Mining and Persistence

Once installed, the malware:

  • Deploys the XMRig cryptocurrency miner, linking 68 compromised systems to the attacker’s Monero wallet.
  • Monitors processes to avoid detection, terminating mining-related tasks if tools like top or iostat are detected.
  • Suspends mining operations upon detecting user activity.

MUT-8694: A Broader Campaign

This disclosure coincides with findings from Datadog Security Labs, identifying a malicious campaign named MUT-8694 targeting Windows users. It utilizes fake npm and PyPI packages to deploy Blank-Grabber and Skuld Stealer, malware designed to compromise systems and steal sensitive information.

Key Takeaways for Developers

  • Typosquatting techniques make malicious libraries appear legitimate, as seen with npm packages targeting Roblox developers.
  • The persistence of threat actors like MUT-8694 underscores the need for vigilance in software supply chains.
  • Regular audits and dependency checks are critical to mitigate risks from malicious updates.

Conclusion

This case highlights the growing risks in open-source ecosystems, where even well-maintained packages can turn rogue. Developers must adopt rigorous vetting processes and maintain ongoing vigilance to protect their systems from evolving threats.

Ensure your team stays updated on the latest cybersecurity practices to safeguard against supply chain attacks.