Nearly three dozen counterfeit packages have been discovered in the npm package repository that are designed to exfiltrate sensitive data from developer systems, according to findings from Fortinet FortiGuard Labs.
One set of packages – named @expue/webpack, @expue/core, @expue/vue3-renderer, @fixedwidthtable/fixedwidthtable, and @virtualsearchtable/virtualsearchtable – harbored an obfuscated JavaScript file that’s capable of gathering valuable secrets.
This includes Kubernetes configurations, SSH keys, and system metadata such as username, IP address, and hostname.
The cybersecurity firm said it also discovered another collection of four modules, i.e., binarium-crm, career-service-client-0.1.6, hh-dep-monitoring, and orbitplate, which results in the unauthorized extraction of source code and configuration files.
“The targeted files and directories may contain highly valuable intellectual property and sensitive information, such as various application and service credentials,” security researchers Jin Lee and Jenna Wang said. “It then archives these files and directories and uploads the resulting archives to an FTP server.”
Some of the packages observed have also been found leveraging a Discord webhook to exfiltrate sensitive data, while a few others are engineered to automatically download and execute a potentially malicious executable file from a URL.
In what’s a novel twist, a rogue package named @cima/prism-utils relied on an install script to disable TLS certificate validation (NODE_TLS_REJECT_UNAUTHORIZED=0), potentially rendering connections vulnerable to adversary-in-the-middle (AitM) attacks.
The cybersecurity company said it categorized the identified modules into nine different groups based on code similarities and functions, with a majority of them employing install scripts that run pre or post-install to carry out the data harvesting.
“End users should watch for packages that employ suspicious install scripts and exercise caution,” the researchers said.
