A grave security threat has emerged for developers as Fortinet FortiGuard Labs reveals the discovery of nearly 36 malicious npm packages hidden in the npm package repository. These counterfeit packages have a nefarious purpose: to steal sensitive data from developers’ systems.
One group of these packages, including @expue/webpack, @expue/core, @expue/vue3-renderer, @fixedwidthtable/fixedwidthtable, and @virtualsearchtable/virtualsearchtable, contains an obfuscated JavaScript file designed to gather critical secrets, such as Kubernetes configurations, SSH keys, and system metadata, like usernames, IP addresses, and hostnames.
Fortinet FortiGuard Labs also detected another collection of four modules, namely binarium-crm, career-service-client-0.1.6, hh-dep-monitoring, and orbitplate, capable of unauthorized extraction of source code and configuration files. These files and directories often contain intellectual property and sensitive information, such as application and service credentials, which are then archived and uploaded to an FTP server by these malicious modules.
Some of these packages have sophisticated methods, like utilizing a Discord webhook to exfiltrate sensitive data or automatically downloading and executing potentially malicious executable files from URLs.
In a unique twist, one rogue package, @cima/prism-utils, employed an install script to disable TLS certificate validation (NODE_TLS_REJECT_UNAUTHORIZED=0), potentially exposing connections to adversary-in-the-middle (AitM) attacks. Fortinet FortiGuard Labs categorized these identified modules into nine groups based on code similarities and functions.
They caution end-users to be vigilant, particularly regarding packages with suspicious install scripts, to protect their systems from data harvesting and security breaches.
