A malicious npm package named “oscompatible” has been discovered deploying a sophisticated remote access trojan on compromised Windows machines. The package, uploaded to the npm registry on January 9, 2024, garnered 380 downloads before it was removed. Featuring unusual binaries, including an executable file, DLL, and encrypted DAT file, the JavaScript file within the package executed a batch script targeting Windows machines. The trojan, named “verify.dll,” was designed to carry out various malicious activities, including fetching instructions from a command-and-control server, installing Chrome extensions, capturing keyboard and mouse events, and more.
The attack’s complexity is notable, involving a multi-stage process that decrypts data, utilizes a revoked certificate for signing, retrieves files from remote sources, and attempts to disguise itself as a standard Windows update process. This incident underscores the growing trend of threat actors targeting open-source software ecosystems for supply chain attacks. Meanwhile, a report by cloud security firm Aqua revealed that 21.2% of the top 50,000 most downloaded npm packages are deprecated, exposing users to potential security risks. Some maintainers opt to deprecate packages without addressing security flaws, leaving users unaware of potential threats.
Security researchers emphasize the critical nature of this situation, especially when maintainers choose to deprecate packages instead of addressing security flaws with patches or CVE assignments. Deprecated packages, including archived and deleted GitHub repositories, are downloaded an estimated 2.1 billion times weekly, creating a significant security gap. The “oscompatible” incident exemplifies the sophisticated tactics employed by threat actors in compromising open-source software, highlighting the need for robust security measures and awareness within the software development community.
