Researchers at application security testing firm Checkmarx Ltd. today detailed a previously unknown threat actor leveraging NPM packages to target developers to steal source code and secrets.

The threat actor, believed to have been active since 2021 but undetected until now, has been publishing malicious NPM packages. The malicious packages were designed with the purpose of exfiltrating sensitive data such as source code and configuration files from the machines of victims.

Each of the malicious packages used by the threat actor was designed to execute automatically upon installation. Each NPM package contained three files — package.json, preinstall.js, and index.js — that were used as part of the attack process.

Upon installing the malicious package, a post-install hook defined in the package.json file triggers the preinstall.js script, with the script then using a method called “spawn:” to initiate another file named index.js.

When index.js runs as a separate process, it continues to operate independently even after the main installation process is complete. The index.js script collects the current operating system username and working directory and then sends this information in an HTTP GET request to a predefined server.

The malicious code then looks through directories on the now infected machine and targets specific directories such as .env, .gitlab and .github and files with extensions such as .asp, .js and .php. The code subsequently compresses the discovered directories, avoids unreadable directories or existing .zip files and then attempts to upload the archives to a predefined FTP server.

According to the metadata analyzed in the malicious NPMs files, the author goes by the name of “lexi2.” A search for other references to lexi2 also found additional malicious packages dating back to 2021.

“Reactive countermeasures of deleting the most recent batch of malicious packages offer only temporary relief and don’t get to the root of the problem,” the researchers concluded. “Protection against these unrelenting threats requires a more sophisticated strategy.”

The researchers also noted that sharing metadata and tracking attackers is essential to a broader security approach that goes beyond short-term fixes and delves into the ongoing monitoring and analysis of attacker behavior and patterns.

Image: Pixabay