A recent discovery by cybersecurity researchers has unveiled a new threat in the npm package registry, as a fresh wave of malicious npm packages aims to compromise systems by exfiltrating Kubernetes configurations and SSH keys to a remote server.
Sonatype, the software supply chain security firm, has identified 14 different npm packages responsible for this threat. These packages initially pose as legitimate JavaScript libraries and components, like ESLint plugins and TypeScript SDK tools. However, once installed, they execute obfuscated code to collect sensitive files from the targeted machine.
In addition to compromising Kubernetes configurations and SSH keys, these malicious npm packages can also harvest system metadata, such as usernames, IP addresses, and hostnames, sending this information to a specific domain. This discovery follows the detection of counterfeit npm packages that exploited dependency confusion to impersonate internal packages used by developers, raising concerns about the security of the software supply chain.
Threat actors are consistently targeting open-source registries like npm and PyPI with a variety of malware types, including cryptojackers and infostealers.
These attacks have diversified across different ecosystems, impacting JavaScript (npm), Python (PyPI), and Ruby (RubyGems), and now they even target Apple macOS users. The motives behind these attacks remain unclear, but they pose a significant threat to software developers and the broader software supply chain. These findings underscore the need for continued vigilance and security measures to protect open-source repositories and the systems that rely on them.
