This revelation follows closely on the heels of Phylum’s discovery of rogue packages on the npm registry, part of a campaign called Contagious Interview targeting software developers. What’s particularly intriguing about both attacks is the concealment of malicious code within a test script (“test.py”). In this instance, the script serves as a decoy for an XOR-encoded DLL file, which generates two additional DLL files, IconCache.db and NTUSER.DAT. The latter is used to execute IconCache.db, housing the Comebacker malware, responsible for establishing connections with a command-and-control server to retrieve and run a Windows executable file.
JPCERT/CC asserts that these packages represent a continuation of a campaign initially detailed by Phylum in November 2023, where crypto-themed npm modules were exploited to disseminate the Comebacker malware. Tomonaga cautions users to be vigilant during software installations to avoid inadvertently downloading malware, particularly emphasizing the need to double-check package names to prevent typos from leading to the installation of unwanted packages. This incident underscores the importance of robust cybersecurity practices within the developer community to mitigate the risks posed by state-backed hacking groups like Lazarus.
