3rd Party Risk Management
,
Governance & Risk Management
Malicious Packages Hide Scripts for Mapping Enterprise Networks
A hacking campaign is spreading malicious reconnaissance scripts already downloaded more than 3,000 times from the JavaScript runtime environment npm repository, warn researchers.
See Also: Prisma Access Browser: An Integral Part of SASE
Researchers from Socket’s Threat Research Team identified 60 npm packages carrying a “small install‑time script” that exfiltrates data such as hostnames, IP addresses, DNS configurations, usernames and project paths.
Whoever is behind the campaign has “a growing map of developer and enterprise networks that can guide future intrusions,” Socket said Thursday.
The reconnaissance script is likely a harbinger of worse things to come. Because the npm registry “offers no guardrails for post‑install hooks, expect new throwaway accounts, fresh packages, alternative exfiltration endpoints, and perhaps larger payloads once a target list is complete,” Socket warned.
The npm repository is a recurring source of malicious packages that take advantage of careless coding practices. Socket only days earlier spotted a collection of malicious packages for widely-used JavaScript frameworks that went undetected for more than two years, accumulating more than 6,200 downloads. The software supply chain firm in April detected North Korean hackers spreading the BeaverTail infostealer through 11 npm packages masquerading as utilities for array validation, logging and debugging (see: Lazarus Expands NPM Campaign With Trojan Loaders).
The first malicious package in this campaign emerged only two weeks ago, with a new package appearing on the repository only hours before Socket went public. “The script targets Windows, macOS or Linux systems, and includes basic sandbox‑evasion checks, making every infected workstation or continuous‑integration node a potential source of valuable reconnaissance,” Socket wrote.
Install-time scripts, also known as post-install scripts, automatically run after a npm package is installed on a system. Each package was published under one of three npm accounts: bbbb335656, cdsfdfafd1232436437 and sdsds656565, with each account distributing 20 identical packages containing the reconnaissance script.
The packages, including seatable, datamart and seamless-sppmy, all feature the same JavaScript logic for network and host fingerprinting.
Socket reported the packages to the npm registry but said they remain live. As of Saturday, they appear to no longer be active.
Socket recommended developers to scan for post-install hooks, hardcoded URLs and unusually small package sizes.
