info@thehackernews.com (The Hacker News)
2024-11-08 06:53:00
thehackernews.com
A new campaign has targeted the npm package repository with malicious JavaScript libraries that are designed to infect Roblox users with open-source stealer malware such as Skuld and Blank-Grabber.
“This incident highlights the alarming ease with which threat actors can launch supply chain attacks by exploiting trust and human error within the open source ecosystem, and using readily available commodity malware, public platforms like GitHub for hosting malicious executables, and communication channels like Discord and Telegram for C2 operations to bypass traditional security measures,” Socket security researcher Kirill Boychenko said in a report shared with The Hacker News.
The list of malicious packages is as follows –
It’s worth pointing out that “node-dlls” is an attempt on part of the threat actor to masquerade as the legitimate node-dll package, which offers a doubly linked list implementation for JavaScript. Similarly, rolimons-api is a deceptive variant of Rolimon’s API.
“While there are unofficial wrappers and modules — such as the rolimons Python package (downloaded over 17,000 times) and the Rolimons Lua module on GitHub — the malicious rolimons-api packages sought to exploit developers’ trust in familiar names,” Boychenko noted.
The rogue packages incorporate obfuscated code that downloads and executes Skuld and Blank Grabber, stealer malware families written in Golang and Python, respectively, that are capable of harvesting a wide range of information from infected systems. The captured data is then exfiltrated to the attacker via Discord webhook or Telegram.
In a further attempt to bypass security protections, the malware binaries are retrieved from a GitHub repository (“github[.]com/zvydev/code/”) controlled by the threat actor.
Roblox’s popularity in recent years has led to threat actors actively pushing bogus packages to target both developers and users. Earlier this year, several malicious packages like noblox.js-proxy-server, noblox-ts, and noblox.js-async were discovered impersonating the popular noblox.js library.
With bad actors exploiting the trust with widely-used packages to push typosquatted packages, developers are advised to verify package names and scrutinize source code prior to downloading them.
“As open-source ecosystems grow and more developers rely on shared code, the attack surface expands, with threat actors looking for more opportunities to infiltrate malicious code,” Boychenko said. “This incident emphasizes the need for heightened awareness and robust security practices among developers.”
Support Techcratic
If you find value in Techcratic’s insights and articles, consider supporting us with Bitcoin. Your support helps me, as a solo operator, continue delivering high-quality content while managing all the technical aspects, from server maintenance to blog writing, future updates, and improvements. Support Innovation! Thank you.
Bitcoin Address:
bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge
Please verify this address before sending funds.
Bitcoin QR Code
Simply scan the QR code below to support Techcratic.
Please read the Privacy and Security Disclaimer on how Techcratic handles your support.
Disclaimer: As an Amazon Associate, Techcratic may earn from qualifying purchases.