On compromised Windows machines, a malicious package that was uploaded to the npm registry has been discovered to be deploying an advanced remote access trojan.
The package, which was labeled “oscompatible,” was released on January 9, 2024, and it received 380 downloads before being removed.
A single executable file, a dynamic-link library ( DLL), and an encrypted DAT file were among the “few strange binaries” that were incompatible, according to software supply chain security company Phylum.
This JavaScript document ( index. executes an “autorun” in js. only after performing a compatibility check to see if the target machine is running Microsoft Windows.
If the platform is not Windows, it warns the user that the script is running on Linux or another unapproved operating system and advises them to run it on” Windows ServerOS.”
For its part, the batch script verifies whether it has admin privileges and, if not, activates the” cookie_exporter” legitimate Microsoft Edge component. “via a PowerShell command,” exe.
A User Account Control ( UAC ) prompt asking the target to run the binary with administrator credentials will appear when it is attempted to be run.
The threat actor then executes the DLL ( “msedge” ) to complete the subsequent stage of the attack. dll” ) by utilizing a method known as DLL search order hijacking.
The library’s trojanized version is intended to decrypt the DAT file ( msedge ). launch another DLL called “msedgedat” and dAT. dll” establishes connections with the actor-controlled domain “kdark1 [. ] in turn. to retrieve a ZIP archive from com.
The ZIP file includes a remote access trojan (verify ) as well as AnyDesk remote desktop software. dll” ) that can use WebSockets to retrieve instructions from a command-and-control ( C2 ) server and collect private data from the host.
Additionally, it” captures keyboard and mouse events,” according to Phylum, “installs Chrome extensions to Secure Preferences, configures AnyDesk, hides the screen, and disables shutting down Windows.”
The development is once again a sign that threat actors are increasingly targeting open-source software ( OSS) ecosystems for supply chain attacks, despite the fact that “oscompatible” appears to be the only npm module used as part of the campaign.
According to the company, “from the binary side, the process of decrypting data, using a revoked certificate for signing, obtaining other files from remote sources, and trying to pass for an ordinary Windows update process the entire time is relatively sophisticated compared to what we typically see in OSS ecosystems.”
The information was made public by cloud security company Aqua, which found that 21.2 % of the top 50 000 npm packages are outdated, endangering users ‘ security. In other words, it is estimated that 2.1 billion copies of the deprecated packages are downloaded each week.
This covers both packages-related archived and deleted GitHub repositories as well as those that are kept private, commit history, and track issues.
Security researchers Ilay Goldman and Yakir Kadkoda stated that” this situation becomes critical when maintainers choose to deprecate affected packages rather than addressing security flaws with patches or CVE assignments.”
The fact that these maintainers occasionally fail to formally mark the package as deprecated on npm “makes this particularly concerning, leaving a security gap for users who might not be aware of potential threats.”