JavaScript and Python both have their own package repositories called npm (Node Package Manager) and PyPi (Python Package Index), respectively.
They act as key centers for publishing and exchanging reusable code libraries and packages by developers.
Sonatype Security Research tracks the npm registry campaign extracting Kubernetes configs and SSH keys via npm packages. Their automated system found 14 malicious packages, which were promptly reported to npm registry admins by researchers.
Sonatype researchers Carlos Fernandez and Gustavo Simoes find deceptive packages mimicking JavaScript libraries containing obfuscated code to steal sensitive files post-installation.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Tracked packages
Here below, we have mentioned all the packages that are tracked as “Sonatype-2023-4000” and “Sonatype-2023-4004”:-
- @am-fe/hooks
- @am-fe/provider
- @am-fe/request
- @am-fe/utils
- @am-fe/watermark
- @am-fe/watermark-core
- @dynamic-form-components/mui
- @dynamic-form-components/shineout
- @expue/app
- @fixedwidthtable/fixedwidthtable
- @soc-fe/use
- @spgy/eslint-plugin-spgy-fe
- @virtualsearchtable/virtualsearchtable
- shineouts
Technical analysis
Batches of packages with under 200 downloads shared the commonality of using “app.threatest.com” in their accounts.
The package, named ‘fixedwidthtable,’ links to a non-descriptive ‘typescript-sdk-tools’ GitHub repository, raising the first red flag, as highlighted by Simoes.
While on the other hand, the package versions include functional code from real open-source packages, with alterations. In the ‘scripts’ folder, experts spot an ‘index.js’ file running obfuscated code.
Similar code and tactics are found in other campaign packages, and the cybersecurity researchers deobfuscated payloads.
While the earlier versions, like ‘@am-fe/hooks,’ revealed attacker intentions with unobfuscated payload. Mirroring previous PoC exploits, the script gathers SSH keys, Kubernetes config, and basic system info like:-
Yet, this stealthy data collection and deceptive npm metadata indicate the malicious intent.
Fernandez highlights the risk of unauthorized Kubernetes access, especially if it exploits recent vulnerabilities. The domain app.threatest[.]com resolves to Cloudflare IPs (172.67.141.49, 104.21.9.30), making attribution challenging.
However, besides this, security analysts found Mandarin comments during their analysis, but the comments are not conclusive of a specific threat actor.
Researchers tried contacting package publishers via metadata and WHOIS records but received no response. Given the current findings, analysts still consider these packages malicious.
Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.