Why a malicious Node.is the js package still available for download?
Cybersecurity researchers from Phylum discovered a new threat in the ecosystem Node.js. A malicious "glup-debugger-log" package disguised as the legitimate "gulplog" package was uploaded to the npm open package registry.
At first glance, the package in question may seem harmless, even though it was downloaded very recently and contains an error in its name. However, Phylum specialists revealed its true purpose — the introduction of a remote access Trojan (RAT) on infected systems.
The glup-debugger-log package was uploaded to the npm platform almost two weeks ago and is still available for download. By the way, at the time of publication of the news, it had already been downloaded 180 times. This definitely puts many developers using this popular project build tool at risk.
The malicious package contains two encrypted JavaScript files that work together. The first one works as a dropper, preparing the ground for a full-fledged cyber attack. It compromises the target machine if certain conditions are met, and then downloads additional malicious components.
The second script provides attackers with permanent remote access to control the compromised system. After successful implementation, the package checks the number of files in the user's Desktop folder. Experts suggest that this is done to identify active developer workstations that are being attacked in priority.
If the number of files exceeds a certain threshold, the malware proceeds to the next stage — installing a reverse connection via the HTTP server on port 3004. This server allows hackers to execute arbitrary commands on an infected machine and immediately get the results of their execution.
Despite its relatively simple functionality, Phylum experts note that this RAT combines elements of primitiveness and sophistication. On the one hand, it has minimal features, and on the other hand, it uses code obfuscation methods to make analysis more difficult.
This further highlights the growing threat of malware in open source ecosystems. Attackers are using new tricks to create compact, efficient and secretive malware carriers that are difficult to detect, but which have dangerous capabilities.
The researchers urge developers to carefully check any third-party packages and libraries before using them, as well as adhere to best security practices when developing software.
Cybersecurity researchers from Phylum discovered a new threat in the ecosystem Node.js. A malicious "glup-debugger-log" package disguised as the legitimate "gulplog" package was uploaded to the npm open package registry.
At first glance, the package in question may seem harmless, even though it was downloaded very recently and contains an error in its name. However, Phylum specialists revealed its true purpose — the introduction of a remote access Trojan (RAT) on infected systems.
The glup-debugger-log package was uploaded to the npm platform almost two weeks ago and is still available for download. By the way, at the time of publication of the news, it had already been downloaded 180 times. This definitely puts many developers using this popular project build tool at risk.
The malicious package contains two encrypted JavaScript files that work together. The first one works as a dropper, preparing the ground for a full-fledged cyber attack. It compromises the target machine if certain conditions are met, and then downloads additional malicious components.
The second script provides attackers with permanent remote access to control the compromised system. After successful implementation, the package checks the number of files in the user's Desktop folder. Experts suggest that this is done to identify active developer workstations that are being attacked in priority.
If the number of files exceeds a certain threshold, the malware proceeds to the next stage — installing a reverse connection via the HTTP server on port 3004. This server allows hackers to execute arbitrary commands on an infected machine and immediately get the results of their execution.
Despite its relatively simple functionality, Phylum experts note that this RAT combines elements of primitiveness and sophistication. On the one hand, it has minimal features, and on the other hand, it uses code obfuscation methods to make analysis more difficult.
This further highlights the growing threat of malware in open source ecosystems. Attackers are using new tricks to create compact, efficient and secretive malware carriers that are difficult to detect, but which have dangerous capabilities.
The researchers urge developers to carefully check any third-party packages and libraries before using them, as well as adhere to best security practices when developing software.
