Cybersecurity experts have identified a prolonged software supply chain breach affecting the npm package registry, with the attack persisting for over a year. What initially appeared to be a benign library evolved into a tool embedding malicious code designed to siphon sensitive data and mine cryptocurrency from compromised systems.
The package in question, @0xengine/xmlrpc, was released on October 2, 2023, as a JavaScript-based XML-RPC server and client for Node.js. To date, it has accumulated 1,790 downloads and remains publicly available for users.
Research firm Checkmarx, which uncovered the exploit, reported that the corruption was injected into version 1.3.4 just one day after its initial release. This version includes functionality to collect valuable system data, such as SSH keys, bash histories, system metadata, and environment variables every 12 hours. The exfiltration of this information is conducted via popular services like Dropbox and file.io.
According to security researcher Yehuda Gelb, the distribution of this attack occurred through various channels: direct npm installations and as a covert dependency in seemingly legitimate repositories. One such repository is a GitHub project named yawpp, designed to automatically generate posts for the WordPress platform.
The repository’s “package.json” file lists the latest version of @0xengine/xmlrpc, ensuring that the malicious package is downloaded when users set up the yawpp tool. While it is unclear if the repository’s developer intentionally added this dependency, the approach exemplifies how attackers exploit user trust in software packages.
Once installed, the malware can gather system information and maintain a persistent presence through systemd, while also deploying the XMRig cryptocurrency miner. Investigations indicate that as many as 68 systems have been compromised for cryptocurrency mining purposes linked to the attacker’s Monero wallet.
Moreover, the malware actively monitors for common system commands like top, iostat, and ps to terminate mining processes if detected, ensuring its operations remain undetected. Gelb emphasized that this incident highlights the risks of relying on a package’s history and maintenance as indicators of safety. Continuous vigilance is critical throughout a package’s lifecycle to mitigate the threat posed by initially harmless or compromised packages.
The revelations arrive alongside findings from Datadog Security Labs, which are tracking a malicious campaign targeting Windows users through fraudulent packages on both npm and the Python Package Index (PyPI). This operation, tracked under the identifier MUT-8694, is reportedly overlapping with similar activities aiming to exploit developers, particularly those involved with Roblox.
As many as 18 and 39 counterfeit packages have been uploaded to npm and PyPI, utilizing typosquatting strategies to masquerade as legitimate offerings. Datadog researchers suggest that the involvement of multiple malicious actors indicates a persistent effort to infiltrate developer environments.
Significantly, these breaches relate to various tactics from the MITRE ATT&CK Matrix, including initial access, where adversaries exploit trusted repositories, and persistence, as observed through the continuous monitoring features of the malware. As investigations continue, the yawpp repository and its linked accounts have been taken down, further underscoring the need for heightened awareness regarding package integrity and security in software development.
