Full Report
As many as 60 malicious npm packages have been discovered in the package registry with malicious functionality to harvest hostnames, IP addresses, DNS servers, and user directories to a Discord-controlled endpoint. The packages, published under three different accounts, come with an install‑time script that's triggered during npm install, Socket security researcher Kirill Boychenko said in a
Analysis Summary
# Tool/Technique: Malicious npm Packages (Reconnaissance & Data Exfiltration)
## Overview
A collection of approximately 60 malicious npm packages published under three different compromised accounts (*bbbb335656*, *cdsfdfafd1232436437*, *sdsds656565*). These packages contain an install-time script designed to fingerprint the host environment, collect sensitive system and network information, evade basic sandbox environments, and exfiltrate this data to a Discord-controlled webhook endpoint.
## Technical Details
- Type: Malware (Data Stealer/Reconnaissance) executed via Software Supply Chain Compromise
- Platform: Windows, macOS, Linux
- Capabilities: System fingerprinting, sandbox evasion, network enumeration, data exfiltration via Discord webhook.
- First Seen: Not specified, reported last week (relative to article publication).
## MITRE ATT&CK Mapping
- TA0043 - C2 Communication
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Likely HTTP/S via Discord API calls)
- TA0009 - Collection
- T1082 - System Information Discovery
- T1082.001 - System Model and Information (Implied by host enumeration)
- TA0006 - Credential Access
- T1005 - Data from Local System (Harvesting user directories/paths)
- TA0003 - Persistence
- T1133 - External Remote Services (Dependency on external C2 via Discord)
## Functionality
### Core Capabilities
- **Install-Time Execution:** Malicious code is triggered automatically during the `npm install` process due to malicious scripts embedded in the package manifests (e.g., `preinstall`, `postinstall`).
- **System Enumeration:** Harvests hostnames, IP addresses (internal and external), DNS servers, system information, Network Interface Card (NIC) details, and user directories/project paths.
- **Data Exfiltration:** Transmits all collected reconnaissance data to a designated Discord webhook endpoint.
### Advanced Features
- **Sandbox Evasion:** Includes checks to detect and abort execution if the environment is identified as a virtualized environment associated with cloud providers (e.g., Amazon, Google).
- **Supply Chain Abuse:** Leverages the trusted npm ecosystem to propagate malware during software development workflows.
## Indicators of Compromise
- File Hashes: N/A (Specific hashes not provided in the context)
- File Names: N/A (Payload execution is script-driven during installation)
- Registry Keys: N/A
- Network Indicators: Discord webhooks (C2 endpoint - defanged)
- Behavioral Indicators: Execution of scripts upon `npm install`, attempting to gather system environment variables and network configuration details.
## Associated Threat Actors
The packages were published under three non-persistent accounts: *bbbb335656*, *cdsfdfafd1232436437*, and *sdsds656565*.
## Detection Methods
- Signature-based detection: Signatures targeting common malware code patterns associated with data scraping and Discord webhook POST requests.
- Behavioral detection: Anomalous system/network discovery calls originating from the package manager process during installation. Monitoring for network connections to known Discord API endpoints initiated by `npm`.
- YARA rules: N/A (Rules typically focus on file-based malware, less applicable to runtime script execution unless the script payload is static).
## Mitigation Strategies
- **Dependency Verification:** Implement strict policies for vetting third-party dependencies, paying close attention to newly published packages or packages with unusual installation scripts.
- **Package Auditing:** Utilize tools to statically analyze package contents before installation to look for suspicious life-cycle scripts (`preinstall`, `postinstall`).
- **Least Privilege:** Run package installations with reduced permissions where possible, although this may not prevent all reconnaissance if execution context remains the current user.
- **Network Monitoring:** Monitor outgoing network traffic from build/CI/CD pipelines for unauthorized connections, especially to communication platforms not typically used for operational traffic (like Discord).
## Related Tools/Techniques
- Other malicious npm packages deploying destructive payloads (e.g., *vite-plugin-bomb*, *js-bomb*).
- Malicious packages used to facilitate phishing campaigns (e.g., *citiycar8* delivering JavaScript payloads linked to CDN hosting).
- Malicious VS Code extensions targeting Solidity developers for crypto wallet theft (e.g., *solaibot* used by MUT-9332).
***
# Tool/Technique: Malicious npm Packages (Destructive Payloads)
## Overview
A set of eight malicious npm packages masquerading as helper libraries for popular JavaScript frameworks (React, Vue.js, Vite, Node.js, Quill Editor). These packages contain destructive payloads designed to corrupt data, delete critical files, and crash systems upon invocation or installation.
## Technical Details
- Type: Malware (Wiper/Destructive Payload) via Software Supply Chain Compromise
- Platform: JavaScript/Node.js environments (affecting projects using React, Vue, Vite)
- Capabilities: File deletion (recursive deletion of framework files), corruption of fundamental JavaScript methods, tampering with browser storage (localStorage, sessionStorage, cookies), and system shutdown.
- First Seen: Some packages published in 2023.
## MITRE ATT&CK Mapping
- TA0004 - Privilege Escalation (Implied if deletion requires necessary permissions)
- TA0006 - Credential Access (Tampering with browser storage mechanisms)
- TA0008 - Lateral Movement (Implied by disrupting development stability)
- TA0004 - Impact
- T1485 - Data Destruction
- T1490 - Inhibit System Recovery (By corrupting core methods/storage)
## Functionality
### Core Capabilities
- **File Deletion:** Recursively deletes framework-related files (Vue.js, React, Vite).
- **Data Corruption:** Corrupts fundamental JavaScript methods and compromises browser storage (local/session storage, cookies).
- **System Shutdown:** The package `js-bomb` can initiate a system shutdown depending on the execution time.
### Advanced Features
- **Masquerading:** Blends in with legitimate helper utility libraries, creating a facade of legitimacy.
- **Dual Approach:** The associated threat actor publishes both harmful and seemingly legitimate packages to build trust.
## Indicators of Compromise
- File Hashes: N/A
- File Names: *vite-plugin-vue-extend*, *quill-image-downloader*, *js-hood*, *js-bomb*, *vue-plugin-bomb*, *vite-plugin-bomb*, *vite-plugin-bomb-extend*, *vite-plugin-react-extend*
- Registry Keys: N/A
- Network Indicators: N/A (Primary mechanism is local destruction)
- Behavioral Indicators: Unexpected file deletion activities, manipulation of browser storage API calls, or execution of system shutdown commands following package invocation.
## Associated Threat Actors
- **xuxingfeng** (The actor who published the rogue packages).
## Detection Methods
- Signature-based detection: Signatures targeting code patterns associated with destructive file system operations (`fs.rmdir`, `fs.unlink`) affecting common project directories.
- Behavioral detection: Monitoring for unusual termination of development environments or unexpected calls to system shutdown routines during development setup.
- YARA rules: N/A
## Mitigation Strategies
- **Strict Dependency Auditing:** Treat all new or infrequently used npm packages as potentially hostile.
- **Execution Control:** Use sandboxed or containerized environments for running `npm install` in untrusted projects to limit potential system damage.
- **Backup Strategy:** Maintain robust, isolated backups of source code and critical system files.
## Related Tools/Techniques
- Other software supply chain attacks targeting developer toolchains.
***
# Tool/Technique: Malicious npm Package & Phishing Chain (citiycar8)
## Overview
A multi-stage, sophisticated attack combining an initial phishing email leading to the installation of a malicious npm package (*citiycar8*). The package contains encrypted JavaScript code, which, upon execution, initiates a URL redirection chain to harvest Microsoft 365 credentials via a fake login page.
## Technical Details
- Type: Malware Chain (Phishing/Credential Theft) delivered via Software Supply Chain Attack
- Platform: Systems installing the *citiycar8* npm package (implied Windows based on context, but JavaScript is cross-platform).
- Capabilities: AES encryption, leveraging a CDN to host initial payload, multi-stage URL redirection, credential harvesting via fake login pages.
- First Seen: Not specified.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Malicious .HTM file attachment)
- TA0006 - Credential Access
- T1552.001 - Credentials in Files (Stealing credentials via user input)
- TA0002 - Execution
- T1204.002 - User Execution: Malicious File (User executing the .HTM file)
- TA0011 - Command and Control
- T1071.001 - Application Layer Protocol (HTTP/S for redirection chain)
## Functionality
### Core Capabilities
- **Initial Vector:** Phishing email containing a malicious `.HTM` file.
- **Payload Hosting:** The `.HTM` file contains encrypted JavaScript hosted on jsDelivr (a CDN).
- **Package Delivery:** The code eventually loads and installs the *citiycar8* npm package.
- **Credential Theft:** The installed JavaScript payload executes a URL redirection chain leading the user to a forged Office 365 login page to capture credentials.
### Advanced Features
- **Encryption & Obfuscation:** Uses AES encryption for the initial JavaScript payload.
- **Layered Delivery:** Combines email phishing, CDN hosting, and software package abuse to mask the final credential-stealing objective.
## Indicators of Compromise
- File Hashes: N/A
- File Names: *citiycar8* (npm package)
- Registry Keys: N/A
- Network Indicators: jsDelivr (used for initial payload hosting), domains pointing to the fake Office 365 landing page (defanged).
- Behavioral Indicators: Execution of HTML attachments triggering JavaScript, installation of the *citiycar8* package, subsequent rapid URL redirection chains.
## Associated Threat Actors
Attribution not explicitly named for this specific chain, but linked generally to sophisticated supply chain abuse.
## Detection Methods
- Signature-based detection: Signatures for the *citiycar8* package name in dependency scans.
- Behavioral detection: Detecting unusual execution flows starting from document attachments leading to package manager activity. Monitoring for connections to known phishing domains used in the redirection chain.
- YARA rules: N/A
## Mitigation Strategies
- **Email Security:** Implement robust filtering for suspicious email attachments, especially `.HTM` files attempting to download external content.
- **User Training:** Educate users to be wary of unsolicited login prompts, particularly those requiring input after clicking links from unexpected sources.
- **MFA Enforcement:** Multi-Factor Authentication significantly reduces the risk associated with stolen credentials.
## Related Tools/Techniques
- Other JavaScript-based malware utilizing CDNs for payload staging.
- Traditional phishing campaigns targeting cloud service credentials.
***
# Tool/Technique: Malicious VS Code Extensions (MUT-9332)
## Overview
A set of malicious extensions found in the Visual Studio Code (VS Code) Marketplace, attributed to threat actor MUT-9332. These extensions masquerade as legitimate tools for Solidity developers (syntax scanning, vulnerability detection) but are designed to steal cryptocurrency wallet credentials by deploying multi-stage, obfuscated malware.
## Technical Details
- Type: Malware (Cryptocurrency Credential Stealer) delivered via Marketplace Compromise
- Platform: Windows systems running VS Code with Solidity development workflow.
- Capabilities: Cryptocurrency wallet credential theft (Ethereum), keystroke logging, data exfiltration to C2 endpoints appearing relevant to Solidity development.
- First Seen: Not specified.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1589.002 - Compromise Software Supply Chain: Compromise Software Supply Chain (Marketplace)
- TA0009 - Collection
- T1056.001 - Input Capture: Keylogging
- T1119 - Data from Drag and Drop (Implied data extraction)
- TA0010 - Command and Control
- T1071 - Application Layer Protocol
- TA0004 - Impact
- T1490 - Inhibit System Recovery (Installers for other payloads)
## Functionality
### Core Capabilities
- **Credential Theft:** The final goal is to deploy a malicious Chromium-based browser extension capable of stealing Ethereum wallet credentials.
- **System Monitoring:** Installs a separate executable to capture keystrokes and scan application data directories (Discord, Chromium browsers, Crypto Wallets, Electron apps).
- **Payload Concealment:** Utilizes complex infection chains, including one instance where a payload was hidden inside an image file hosted on the Internet Archive.
### Advanced Features
- **Persistence/Multi-Stage:** Employs multiple stages of obfuscated malware for delivery.
- **Cryptojacking (Related Activity):** MUT-9332 is also linked to campaigns using VS Code extensions to install XMRig cryptominers disguised as AI/coding tools.
- **C2 Cloaking:** Uses Command and Control domains that appear contextually relevant to Solidity development to evade flagging.
## Indicators of Compromise
- File Hashes: N/A
- File Names: *solaibot*, *among-eth*, *blankebesxstnion* (VS Code Extensions)
- Registry Keys: N/A
- Network Indicators: C2 domains appearing relevant to Solidity/development (defanged).
- Behavioral Indicators: Installation of non-standard browser extensions, unauthorized access attempts on cryptocurrency wallet directories, outbound connections to C2 domains from development environments.
## Associated Threat Actors
- **MUT-9332** (Attributed by Datadog Security Research).
## Detection Methods
- Signature-based detection: Signatures on known C2 domains used by MUT-9332.
- Behavioral detection: Monitoring for the installation of secondary, unauthorized browser extensions upon loading a specialized VS Code extension. Monitoring executable creation in user profile directories following IDE activity.
- YARA rules: N/A
## Mitigation Strategies
- **Marketplace Vigilance:** Limit the installation of extensions, especially for niche development tasks, to those from highly trusted or official vendors.
- **Endpoint Detection:** Implement EDR/XDR solutions capable of inspecting complex infection chains that involve dynamic payload loading from external sources (like Archive.org).
- **Crypto Wallet Security:** Use hardware wallets where possible and isolate sensitive cryptocurrency operations from general development machines.
## Related Tools/Techniques
- VS Code extensions used for cryptomining in separate campaigns attributed to MUT-9332.
- General software supply chain attacks targeting developer platforms (npm, VS Code Marketplace).