Security researchers have uncovered 48 malicious npm packages in the npm repository, capable of deploying a reverse shell on compromised systems. These packages, cleverly named to appear legitimate, contain obfuscated JavaScript code designed to initiate a reverse shell upon package installation. All of these counterfeit packages were published by an npm user known as hktalent.
Furthermore, after package installation, an install hook in the package.json file triggers an attack chain, establishing a reverse shell connection to rsh.51pwn[.]com. These findings highlight the growing interest of threat actors in open-source environments and emphasize the critical nature of dependency trust in securing open-source ecosystems. In the wake of these discoveries, concerns about supply chain attacks targeting open-source software are on the rise.
Additionally, this latest incident involving malicious npm packages mirrors a recent revelation about two packages published to the Python Package Index (PyPI). These Python packages, named localization-utils and locute, were designed to simplify internationalization but incorporated malicious code to exfiltrate sensitive Telegram Desktop application data and system information.
Finally, the threat landscape demonstrates that threat actors are becoming increasingly sophisticated in creating packages that avoid detection through obfuscation and deceptive tactics. The security firm Phylum suggests that these incidents serve as a stark reminder of the critical nature of maintaining trust in the dependencies within open-source ecosystems.
