Malicious NPM packages developed by "lexi2" have been deployed in new data exfiltration attacks against software developers, reports SiliconAngle.
Installation of the package prompts the automated execution of files, including the "index.js" script, which gathers operating system usernames and working directories in compromised machines that are then delivered to a predefined FTP server, according to a report from Checkmarx.
Machines impacted by the script are being scoured for .env, .github, and .gitlab directories, as well as files having the .php, .asp, and .js extensions, researchers noted. While identified directories are then compressed by the script, existing .zip files and unreadable directories are avoided when the archives are sent to the server.
"Reactive countermeasures of deleting the most recent batch of malicious packages offer only temporary relief and don't get to the root of the problem. Protection against these unrelenting threats requires a more sophisticated strategy," said researchers, who urged strengthened metadata sharing and attacker monitoring to combat NPM threats.
Cloud Security, DevSecOps
New data exfiltration attacks involving malicious NPM packages reported
An In-Depth Guide to Cloud Security
Get essential knowledge and practical strategies to fortify your cloud security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds