Malicious npm Package Lures Job Seekers and Exfiltrates Sensitive Data

A self-proclaimed Ukrainian Web3 team targeted a community member during an interview’s first round by instructing them to clone and run a GitHub repository named EvaCodes-Community/UltraX.

Suspecting foul play, the individual contacted the SlowMist security team, who conducted a thorough analysis and uncovered malicious components embedded within the project’s dependencies. With consent, SlowMist issued a public advisory highlighting the risks.

Threat in a Fake Interview Process

The repository, appearing as a legitimate open-source project, had recently updated its package.json to replace the deprecated [email protected] with a new package, [email protected].

The former had been delisted by npm’s security team for containing malware, while the latter, freshly published, linked to a now-deleted GitHub source, amplifying suspicions.

Dissection revealed the malice in the package’s /rtk-logger/lib/utils/smtp-connection directory, where index.js imports modules, reads a LICENSE file via fs.readFile, parses it through a custom parseLib() function in parse.js, and executes the output using eval().

This parseLib() employs AES-256-CBC decryption with hardcoded keys and IV to unravel obfuscated code from hexadecimal ciphertext, exposing a payload designed to evade detection.

Deobfuscation efforts by SlowMist confirmed [email protected] as a Trojanized npm package engineered for data theft.

It hardcodes paths to browsers like Chrome, Brave, Opera, and Firefox, targeting extension data, cryptocurrency wallet files, and sensitive user information such as login credentials, encryption keys, and certificates.

Analysis of Malicious Behaviors

Functions like uploadFiles() scan and exfiltrate configuration files from these browsers alongside crypto wallet extensions, bundling them for upload to an attacker-controlled server at 144.172.112.106.

Specialized routines include uploadMozilla() for Firefox-specific data, uploadEs() for Exodus wallet artifacts, UpKeychain() for macOS Keychain-stored passwords and certificates, and UpUserData() for broader browser credential extraction.

The Upload() function transmits this harvested data raw, without encryption or processing, heightening exposure risks.

Beyond exfiltration, the package executes additional payloads: runP() checks for or downloads a zipped archive from the same IP, extracts it, and potentially deploys further malware.

The Xt() function adapts to operating systems on Windows, it verifies python.exe availability before fetching and running a remote Python script; on others, it invokes python3 directly.

Other components, such as aj, establish socket.io-client connections to 172.86.64.67 for command-and-control, enabling remote command execution, environment detection (e.g., virtualization checks), and logging.

Scripts like ak, al, and am extend the attack surface with browser data theft, filesystem scanning for sensitive files, keylogging, screenshot capture, and clipboard monitoring, all funneling outputs to attacker endpoints.

Forks of the repository, including those by kylengn, taqveemahsan, and zinping, retained the original [email protected], perpetuating the threat.

This incident underscores attackers’ use of job lures to deploy infostealers, risking asset theft and data breaches. SlowMist urges isolating unknown projects in sandboxes devoid of sensitive data.

As a blockchain security firm since 2018, SlowMist has audited major exchanges like Binance and OKX, emphasizing proactive defenses against such ecosystem vulnerabilities.

Indicators of Compromise (IoCs)

AWS Security Services: 10-Point Executive Checklist - Download for Free