Cybersecurity researchers have revealed a year-long software supply chain attack on the npm package registry, initiated by the seemingly harmless library @0xengine/xmlrpc. This package, which originally functioned as a JavaScript XML-RPC server for Node.js, was compromised shortly after its launch to include malicious code capable of stealing sensitive information and mining cryptocurrency. The malicious features were hidden in version 1.3.4, allowing it to gather SSH keys, bash history, and more, transmitting the data via Dropbox. This incident underscores the critical importance of vigilance in software supply chains, as even trusted packages can become harmful over time. With multiple distribution methods, this attack highlights the ongoing threat to developers and users alike.
Cybersecurity Alert: Malicious npm Package Found Stealing Data and Mining Cryptocurrency
Published on Nov 28, 2024 by Ravie Lakshmanan
Tags: Software Security / Data Breach
In a concerning development for software developers and users alike, cybersecurity researchers have uncovered a software supply chain attack that has been active for over a year on the npm package registry. The attack began with a harmless-looking library that eventually became weaponized, incorporating malicious code designed to steal sensitive data and mine cryptocurrency from infected computers.
The malicious package, called @0xengine/xmlrpc, was first released on October 2, 2023, as a JavaScript XML-RPC server for Node.js. Despite its innocent beginnings, the package has seen over 1,790 downloads and is still available for unsuspecting users.
Researchers from Checkmarx have reported that in version 1.3.4, released just a day after its initial publication, the package included code that collects sensitive information such as SSH keys, system metadata, and environment variables. This data is sent to cloud storage services like Dropbox, making the theft even more concerning.
The attack spreads through two main avenues: direct installation from npm and as a hidden dependency in a seemingly legitimate GitHub project called yawpp, which claims to help users create WordPress posts. By including @0xengine/xmlrpc in the project’s package.json file, users unknowingly download the malicious code when they install yawpp.
Once installed, the malware not only collects system information but also establishes a backdoor to maintain access and control over the compromised systems. Approximately 68 systems have been found to be actively mining cryptocurrency for the attackers.
This incident serves as a stark reminder that not all packages are safe, even those that appear to be well-maintained. Developers must remain vigilant when integrating third-party libraries and continuously monitor them throughout their lifecycles.
In a related note, Datadog Security Labs has also identified ongoing attacks against Windows users involving fake npm and Python packages aimed at distributing malware. Researchers suspect these threats specifically target developers associated with popular platforms like Roblox.
Stay cautious, and always verify the packages you choose to use to safeguard your projects against such malicious activities.
What is the XMLRPC npm library?
The XMLRPC npm library is a tool in JavaScript that helps programs communicate with servers using a protocol called XML-RPC.
How does the XMLRPC library turn malicious?
It can turn malicious if someone modifies it to steal data or perform harmful actions, like installing a crypto miner on users’ computers.
What kind of data can it steal?
It can steal various types of data, including passwords, personal information, and sensitive files from a computer or server.
How can I protect my system from this?
To protect your system, keep your software updated, check for security patches, and avoid using libraries with known vulnerabilities.
What should I do if I think I’m affected?
If you think you’re affected, immediately run a virus scan, change your passwords, and check for any unusual activities on your accounts.
