Phylum has been engaged in uncovering and reporting on a string of malware campaigns that have targeted open-source ecosystems in recent weeks. These campaigns encompass a range of malicious activities, including the insertion of malevolent updates into npm packages, the disguise of malware as a GCC binary, and the distribution of packages with intricate command-and-control structures designed for data exfiltration.
Phylum’s modus operandi involves constant monitoring of open-source ecosystems, wherein they meticulously inspect source code and metadata of packages as soon as they are introduced into the registry. In their latest discovery, Phylum unveiled a nascent campaign that spans three major ecosystems: Python (PyPI), JavaScript (npm), and Ruby (RubyGems).
The campaign initiated on September 3, 2023, with the emergence of the package named “kwxiaodian.” This campaign follows a familiar pattern observed in earlier cyberattacks. Initially, the attackers distribute packages with data collection capabilities, gathering information about the target machine and sending it to a server controlled by the malicious actors.
Subsequently, more sinister versions of the packages are released once an interesting target is identified. Notably, this campaign exclusively collects data from macOS machines.Phylum’s analysis revealed that the npm, PyPI, and RubyGems campaigns share striking similarities: all packages communicate with a service hosted at 81.70.191.194, collect system information, and are specifically designed to execute on macOS systems.
Furthermore, multiple packages across these ecosystems featured similar version numbers, such as 9.1.10. The collective evidence points to a coordinated campaign against software developers.
Although the ultimate objectives of these attacks remain ambiguous, Phylum took swift action by reporting the packages to the respective ecosystems for removal, with PyPI already confirming the elimination of the malicious packages.
Overall, Phylum’s findings emphasize the alarming prevalence of malware within open-source package registries and the need for robust security measures in an era of increased package dependencies in software development projects.
