Two malicious packages found on the npm bundle registry have been discovered to leverage GitHub to retailer Base64-encrypted SSH keys stolen from developer programs on which they had been put in.
The modules named warbeast2000 and kodiak2k had been printed in the beginning of the month, attracting 412 and 1,281 downloads earlier than they had been taken down by the npm maintainers. The latest downloads occurred on January 21, 2024.
Software program provide chain safety agency ReversingLabs, which made the invention, stated there have been eight completely different variations of warbeast2000 and greater than 30 variations of kodiak2k.
Each the modules are designed to run a postinstall script after set up, every able to retrieving and executing a special JavaScript file.
Whereas warbeast2000 makes an attempt to entry the personal SSH key, kodiak2k is designed to search for a key named “meow,” elevating the chance that the risk actor doubtless used a placeholder identify through the early phases of the event.
“This second stage malicious script reads the personal SSH key saved within the id_rsa file situated within the <homedir>/.ssh listing,” safety researcher Lucija Valentić stated about warbeast2000. “It then uploaded the Base64-encoded key to an attacker-controlled GitHub repository.”
Subsequent variations of kodiak2k had been discovered to execute a script present in an archived GitHub challenge internet hosting the Empire post-exploitation framework. The script is able to launching the Mimikatz hacking instrument to dump credentials from course of reminiscence.
“The marketing campaign is simply the newest instance of cybercriminals and malicious actors utilizing open supply bundle managers and associated infrastructure to assist malicious software program provide chain campaigns that focus on growth organizations and end-user organizations,” Valentić stated.