Cybersecurity researchers have identified two malicious packages on the npm package registry that concealed backdoor code to execute malicious commands sent from a remote server.
The packages in question – img-aws-s3-object-multipart-copy and legacyaws-s3-object-multipart-copy – have been downloaded 190 and 48 times each. As of writing, they have been taken down by the npm security team.
“They contained sophisticated command and control functionality hidden in image files that would be executed during package installation,” software supply chain security firm Phylum said in an analysis.
The packages are designed to impersonate a legitimate npm library called aws-s3-object-multipart-copy, but come with an altered version of the “index.js” file to execute a JavaScript file (“loadformat.js”).
For its part, the JavaScript file is designed to process three images — that feature the corporate logos for Intel, Microsoft, and AMD — with the image corresponding to Microsoft’s logo used to extract and execute the malicious content.
The code works by registering the new client with a command-and-control (C2) server by sending the hostname and operating system details. It then attempts to execute attacker-issued commands periodically every five seconds.
In the final stage, the output of the commands’ execution is exfiltrated back to the attacker via a specific endpoint.
“In the last few years, we’ve seen a dramatic rise in the sophistication and volume of malicious packages published to open source ecosystems,” Phylum said.
“Make no mistake, these attacks are successful. It is absolutely imperative that developers and security organizations alike are keenly aware of this fact and are deeply vigilant with regard to open source libraries they consume.”
