News

NodeJS malware caught exfiltrating IPs, username, and device information on GitHub

Multiple NodeJS packages laden with malicious code have been spotted on npm registry.

These “typosquatting” packages served no purpose other than collecting data from the user’s device and broadcasting it on public GitHub pages.

The findings were spotted by Sonatype’s automated malware detection systems and further investigated by the company’s Security Research team which includes me.

The packages previously present on the open source npm registry included:

  1. electorn (intentional misspelling of a legitimate package “electron”)
  2. loadyaml
  3. loadyml
  4. lodashs (intentional misspelling of a legitimate package “lodash”)

All four packages were published by the same user “simplelive12” and have now been removed, with the first two having been taken down by npm as of October 1, 2020. The previous two packages were unpublished by the author themselves.

Once installed, electorn ran a script in the background every hour which collected the logged-in user’s IP, geolocation data, username, path to home directory, and CPU model information.

The malicious code within electorn and 3 other identical packages which exfiltrated user information

This information, part of which constitutes the device “fingerprint” was uploaded and published on GitHub in real-time.

Some of the information being published is base64-encoded but this can be trivially decoded by anyone who has access to it:

Sonatype’s Security Research team has accounted for these malicious packages into their products, and had notified both npm and GitHub teams of the malicious activity stemming from the components. This led to the takedown of these malicious packages.

To this date, all 4 packages have scored a little over 400 total downloads.

It is not exactly clear what was the purpose of collecting this data and why was it being published on the web for the world to see, however, incidents like these highlight the potential of typosquatting attacks on the open-source ecosystem.

We can only imagine what the next possible version of these packages could have been capable of – possibly carrying out even more sinister activities.

By tricking an unsuspecting developer into mistakenly installing a misspelled package, attackers can push their malicious code “downstream” into any other open-source projects that use the misspelled malicious component as a transitive dependency.

Adopting DevSecOps best practices and building security early on into your software development lifecycle can prevent “counterfeit components” such as electorn and loadyaml from entering, and thriving in your software supply chains.

The complete research findings are available on the Sonatype blog.

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

10 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

11 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

11 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

11 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.