Active Reconnaissance Campaign Targeting NPM Repository

Security researchers have uncovered a hacking campaign involving malicious reconnaissance scripts that have been downloaded over 3,000 times from the npm repository, a key component of the JavaScript ecosystem. The findings reveal a significant threat to developers and organizations reliant on this platform.

According to the Threat Research Team at Socket, a total of 60 npm packages were found to harbor a “small install-time script” designed to exfiltrate sensitive data including hostnames, IP addresses, DNS configurations, usernames, and project paths. These packages, initially appearing harmless, could provide adversaries with a growing map of developer and enterprise networks, effectively informing future intrusion efforts.

The reconnaissance scripts serve as potential precursors to more severe cyber threats. Given the lack of restrictions on post-install hooks within the npm registry, there’s a heightened risk of attackers employing new disposable accounts, unveiling fresh packages, and utilizing alternative exfiltration channels. As a result, Socket warns that larger and more damaging payloads may follow once specific target lists are finalized.

The npm repository has a well-documented history of hosting malicious packages stemming from careless coding practices. Recently, Socket identified a separate suite of malicious packages targeting prominent JavaScript frameworks, which had gone unnoticed for over two years and accumulated more than 6,200 downloads. In a separate incident, North Korean hackers utilized npm packages to disseminate the BeaverTail infostealer by masquerading as utility tools.

Notably, the first package linked to this current campaign surfaced merely two weeks ago, with additional packages surfacing just hours before Socket’s public disclosure. The reconnaissance script is designed to operate across Windows, macOS, and Linux systems. It includes basic checks to evade detection in sandbox environments, turning every compromised workstation or continuous integration system into a potential source of vital reconnaissance data.

The identified install-time scripts, which activate automatically following npm package installations, were published under three distinct accounts: bbbb335656, cdsfdfafd1232436437, and sdsds656565. Each account distributed 20 identical packages containing the reconnaissance capabilities embedded within them.

The suspect packages, which include files named seatable, datamart, and seamless-sppmy, share identical JavaScript logic aimed at network and host fingerprinting. Although Socket has reported these packages to the npm registry, they remain active as of the latest update, although there are indications that they may no longer be in circulation.

Socket advises developers to be vigilant by scanning for post-install hooks, identifying hardcoded URLs, and checking for unusually small package sizes, as these may indicate potential security risks. This incident starkly highlights the ongoing challenges of ensuring cybersecurity in software development environments, underscoring the necessity of robust risk management practices.