Brother
Professional
- Messages
- 2,590
- Reaction score
- 483
- Points
- 83
Attackers came up with a clever way to distribute scripts via GitHub.
ReversingLabs has discovered two malicious modules in the popular NPM package registry that use GitHub to store Base64-encrypted SSH keys that were previously stolen from developers ' systems.
The modules, called warbeast2000 and kodiak2k, were published in early January and collected 412 and 1281 downloads, respectively, before being removed by npm employees. The last uploads occurred on January 21. ReversingLabs reports that 8 different versions of warbeast2000 and more than 30 versions of kodiak2k were detected. Both modules are designed to run the script after installation, each of which is able to extract and execute different JavaScript files.
The warbeast2000 module tries to access a private SSH key, and kodiak2k is designed to search for a key named "meow", which indicates that developers may use placeholder names in the early stages of development.
The second stage of the malicious script reads the private SSH key from the id_rsa file located in the "<homedir>/.ssh " directory. It then uploads the Base64-encoded key to an attacker-controlled GitHub repository. Subsequent versions of kodiak2k ran a script from an archived GitHub project that stores the Empire post-exploitation framework. It is capable of running Mimikatz, which retrieves credentials from the process's memory.
The detected campaign is yet another example of how cybercriminals are using open source package managers and related infrastructure to support malicious software supply chain campaigns targeting developer and end-user organizations.
ReversingLabs has discovered two malicious modules in the popular NPM package registry that use GitHub to store Base64-encrypted SSH keys that were previously stolen from developers ' systems.
The modules, called warbeast2000 and kodiak2k, were published in early January and collected 412 and 1281 downloads, respectively, before being removed by npm employees. The last uploads occurred on January 21. ReversingLabs reports that 8 different versions of warbeast2000 and more than 30 versions of kodiak2k were detected. Both modules are designed to run the script after installation, each of which is able to extract and execute different JavaScript files.
The warbeast2000 module tries to access a private SSH key, and kodiak2k is designed to search for a key named "meow", which indicates that developers may use placeholder names in the early stages of development.
The second stage of the malicious script reads the private SSH key from the id_rsa file located in the "<homedir>/.ssh " directory. It then uploads the Base64-encoded key to an attacker-controlled GitHub repository. Subsequent versions of kodiak2k ran a script from an archived GitHub project that stores the Empire post-exploitation framework. It is capable of running Mimikatz, which retrieves credentials from the process's memory.
The detected campaign is yet another example of how cybercriminals are using open source package managers and related infrastructure to support malicious software supply chain campaigns targeting developer and end-user organizations.
