Two malicious npm packages, warbeast2000 and kodiak2k, were found on the npm package registry, exploiting GitHub to store stolen Base64-encrypted SSH keys taken from the systems of installed developers. Published at the beginning of January 2024, these modules, downloaded 412 and 1,281 times respectively, were removed by npm maintainers after discovery by software supply chain security firm ReversingLabs. Both packages executed postinstall scripts, attempting to access private SSH keys and executing different JavaScript files. These findings highlight a concerning threat to software supply chain security, with cybercriminals leveraging open-source package managers and infrastructure for malicious activities.
The warbeast2000 module, during its postinstall script, attempted to access private SSH keys, uploading the Base64-encoded key to an attacker-controlled GitHub repository. Simultaneously, kodiak2k searched for a key named “meow,” suggesting a placeholder name used during early development. The second-stage malicious script in warbeast2000 read the private SSH key stored in the id_rsa file, uploading it to the attacker’s GitHub repository. Subsequent versions of kodiak2k executed a script from an archived GitHub project hosting the Empire post-exploitation framework, enabling the launch of the Mimikatz hacking tool to extract credentials from process memory. These incidents illustrate cybercriminals exploiting open-source package managers for malicious software supply chain campaigns.
The discovery underscores the ongoing threat to development organizations and end-user organizations from cybercriminals and malicious actors using open-source package managers and related infrastructure. This campaign highlights the importance of vigilance in software supply chain security to prevent potential compromises, emphasizing the need for robust defenses against such attacks.
