New Campaign Distributes Malicious npm and PyPI Packages to Pilfer Kubernetes Config, SSH Keys
Researchers have discovered a concerning surge in deceptive npm and PyPI packages distributed as part of a malicious campaign, aimed at extracting Kubernetes configurations and SSH keys from compromised systems.
The First Signs of the Campaign
The campaign was first identified on September 12, 2023, and has been ongoing since then.
Initially, a total of 14 malicious npm packages were identified as part of this campaign, published from different npm accounts:
- @am-fe/hooks
- @am-fe/provider
- @am-fe/request
- @am-fe/utils
- @am-fe/watermark
- @am-fe/watermark-core
- @dynamic-form-components/mui
- @dynamic-form-components/shineout
- @expue/app
- @fixedwidthtable/fixedwidthtable
- @soc-fe/use
- @spgy/eslint-plugin-spgy-fe
- @virtualsearchtable/virtualsearchtable
- shineouts
What links these accounts is the utilization of a certain domain within malicious packages: “app.threatest[.]com”
The malicious packages appear to be benign JavaScript libraries and components, such as ESLint plugins and TypeScript SDK tools; once installed, they run obfuscated code to extract sensitive files from the victim’s machine.
Threat actors are actively uploading such packages to various ecosystems, with the intention of infecting unsuspecting users and exfiltrating data. The threat is significant, as it can potentially result in severe issues for organizations in targeted attacks, including supply chain compromises. To gain insights into the methods employed by threat actors for distributing malicious packages, you can refer to our other blog post.
Example of a Malicious npm Package
Researchers have made several noteworthy observations about these malicious packages. For instance, one package is named “fixedwidthtable” but directs users to a GitHub repository called “typescript-sdk-tools,” and an “index.js” file in the scripts folder runs obfuscated code.
Packages linked to this campaign contain the same code and attempt to mimic legitimate open-source libraries, though the actual files differ.
Researchers further revealed that earlier versions of some of these packages contain an unobfuscated version of the attack payload. This discovery confirmed the attackers’ intent to pilfer sensitive data, including:
- Kubernetes configurations,
- SSH keys,
- System metadata (usernames, IP addresses, hostnames).
When the code is executed on the victim machine, it collects the targeted data and sends it to the app.threatest[.]com domain.
Is There a Specific Threat Actor Distributing These Malicious npm and PyPI Packages?
The domain used in the campaign (app.threatest[.]com) was found to resolve two Cloudflare IP addresses. Additionally, researchers observed the use of Chinese characters in code comments, which is noteworthy. Nevertheless, this information does not provide a clear identification of a specific threat actor.
In the subsequent days of the campaign’s launch, researchers identified additional packages. The campaign began with an initial release of packages in the npm package repository, but as it evolved, the attackers expanded their distribution to include packages on PyPI.
Researchers report that, to date, the campaign has generated a total of 46 publications across 39 distinct packages within the two ecosystems (npm and PyPI).
You can find a comprehensive list of all the campaign-related packages at the end of this blog.
Proactively Defend Your Environment with SOCRadar
With the Supply Chain Intelligence feature under SOCRadar’s CTI module, you can include your vendors on a WatchList and stay vigilant regarding the most recent incidents that might have implications for your organization’s security.
Additionally, more than often, attackers use vulnerabilities in infected systems to further exploit their victims. With SOCRadar, you can promptly receive alerts regarding vulnerabilities identified across your digital assets, enabling proactive defense measures for your organization.
All npm and PyPI Packages Related to the Campaign
The following is a complete list of malicious packages published so far in the campaign:
Package |
Version |
Ecosystem |
Publish Date |
Malicious File |
@am-fe/components |
0.0.1-beta.16 |
npm |
2023-09-12 02:56:24 |
package/index.js |
@am-fe/hooks |
0.0.1-beta.3 |
npm |
2023-09-12 03:01:10 |
package/index.js |
@am-fe/provider |
0.0.1-alpha.8 |
npm |
2023-09-12 19:35:29 |
package/index.js |
@am-fe/watermark |
1.0.1 |
npm |
2023-09-12 19:37:03 |
package/index.js |
@am-fe/utils |
0.0.1-alpha.3 |
npm |
2023-09-12 19:44:17 |
package/index.js |
@soc-fe/use |
0.0.2-beta.8 |
npm |
2023-09-12 20:29:30 |
package/index.js |
shineouts |
1.12.16-beta.0 |
npm |
2023-09-12 20:59:51 |
package/index.js |
@dynamic-form-components/shineout |
1.0.4-alpha.3 |
npm |
2023-09-12 23:37:30 |
package/index.js |
@dynamic-form-components/mui |
1.4.2-alpha.1 |
npm |
2023-09-12 23:43:07 |
package/index.js |
@expue/app |
0.0.2-alpha.0 |
npm |
2023-09-13 01:20:11 |
package/index.js |
@expue/builder |
0.0.3-alpha.0 |
npm |
2023-09-13 19:07:35 |
package/index.js |
@expue/cli |
0.0.3-alpha.0 |
npm |
2023-09-13 19:08:42 |
package/index.js |
@expue/config |
0.0.3-alpha.0 |
npm |
2023-09-13 19:09:06 |
package/index.js |
@expue/core |
0.0.3-alpha.0 |
npm |
2023-09-13 19:09:31 |
package/index.js |
@expue/plugin-express |
0.0.3-alpha.0 |
npm |
2023-09-13 19:10:30 |
package/index.js |
@expue/shared |
0.0.3-alpha.0 |
npm |
2023-09-13 19:11:05 |
package/index.js |
@expue/types |
0.0.3-alpha.0 |
npm |
2023-09-13 19:27:39 |
package/index.js |
@expue/vue-renderer |
0.0.3-alpha.0 |
npm |
2023-09-13 19:28:54 |
package/index.js |
@expue/vue3-helper |
0.0.3-alpha.0 |
npm |
2023-09-13 19:30:01 |
package/index.js |
@expue/vue3-renderer |
0.0.3-alpha.0 |
npm |
2023-09-13 19:31:15 |
package/index.js |
@sheinoutmobile/sheinoutmobile |
1.6.0 |
npm |
2023-09-13 19:51:05 |
package/index.js |
apm-web-vitals |
0.0.1-rc.3 |
npm |
2023-09-14 01:04:09 |
package/src/main.js |
systemrobotassistant |
3.0.8 |
npm |
2023-09-14 01:31:02 |
package/src/main.js |
ssc-concurrent-log-handler |
0.0.12 |
pypi |
2023-09-14 04:06:56 |
ssc-concurrent-log-handler-0.0.12/setup.py |
@sheinoutmobile/shineoutmobile |
1.8.2 |
npm |
2023-09-14 04:08:57 |
package/src/index.js |
ssc-concurrent-log-handler |
0.0.13 |
pypi |
2023-09-14 04:46:56 |
ssc-concurrent-log-handler-0.0.12/setup.py |
@virtualsearchtable/virtualsearchtable |
0.1.0 |
npm |
2023-09-14 21:09:13 |
package/scripts/index.js |
@fixedwidthtable/fixedwidthtable |
0.0.1 |
npm |
2023-09-14 21:12:32 |
package/scripts/index.js |
@fixedwidthtable/fixedwidthtable |
0.0.2 |
npm |
2023-09-14 21:12:36 |
package/scripts/index.js |
@spgy/eslint-plugin-spgy-fe |
1.0.0-rc.1 |
npm |
2023-09-14 22:35:39 |
package/scripts/index.js |
@spgy/eslint-plugin-spgy-fe |
1.0.0-rc.2 |
npm |
2023-09-15 02:46:33 |
package/scripts/index.js |
@fixedwidthtable/fixedwidthtable |
0.0.3 |
npm |
2023-09-15 02:48:13 |
package/scripts/index.js |
@virtualsearchtable/virtualsearchtable |
0.1.1 |
npm |
2023-09-15 02:49:41 |
package/scripts/index.js |
sc-concurrent-log-handler |
0.0.13 |
pypi |
2023-09-18 03:59:05 |
sc-concurrent-log-handler-0.0.13/setup.py |
ss-concurrent-log-handler |
0.0.13 |
pypi |
2023-09-18 04:03:56 |
sc-concurrent-log-handler-0.0.13/setup.py |
sc-concurrent-log-handler |
0.0.14 |
pypi |
2023-09-18 04:21:32 |
sc-concurrent-log-handler-0.0.14/setup.py |
am-packages |
0.0.1 |
npm |
2023-09-20 00:36:41 |
package/dist/index.js |
apm-web-vitals |
1.0.2 |
npm |
2023-09-20 00:54:42 |
package/dist/index.js |
eslint-plugin-shein-soc-raw |
1.1.4 |
npm |
2023-09-20 23:00:50 |
package/lib/config.js |
eslint-plugin-spgy-fe |
1.0.1 |
npm |
2023-09-20 23:01:25 |
package/lib/config.js |
sun-flare |
1.0.9 |
npm |
2023-09-20 23:20:32 |
package/flare.beta.js |
@zxncij2390/monorepo3 |
3.18.0 |
npm |
2023-09-24 20:12:07 |
package/pre-install.cjs |
@zxncij2390/upload-ali-oss |
0.1.2 |
npm |
2023-09-24 22:43:07 |
package/post-install.cjs |
@zxncij2390/wash-care-symbol |
1.0.3 |
npm |
2023-09-24 22:45:31 |
package/post-install.cjs |
xia-kit |
0.0.1-beta.4 |
npm |
2023-09-24 23:14:46 |
package/src/post-install.cjs |
rate-my-web |
1.0.6 |
npm |
2023-09-24 23:22:44 |
package/post-install.cjs |
(Source: Phylum)