Malicious NPM Packages Exfiltrate Hundreds of Developer SSH Keys via GitHub

Malicious NPM Packages Exfiltrate Hundreds of Developer SSH Keys via GitHub

January 23, 2024 at 01:05PM

Two malicious npm packages, warbeast2000 and kodiak2k, leveraged GitHub to store stolen Base64-encrypted SSH keys. They were discovered and taken down after attracting 412 and 1,281 downloads. The modules run a postinstall script to execute JavaScript files, potentially compromising security. The incident highlights ongoing supply chain security threats.

Some key takeaways from the meeting notes are as follows:
– Two malicious packages, warbeast2000 and kodiak2k, were discovered on the npm package registry, leveraging GitHub to store Base64-encrypted SSH keys stolen from developer systems.
– The packages attracted a significant number of downloads before being taken down by the npm maintainers, with the most recent downloads occurring on January 21, 2024.
– The security firm ReversingLabs made the discovery and noted multiple versions of both packages.
– These packages are designed to run a postinstall script after installation, with warbeast2000 attempting to access private SSH keys and kodiak2k targeting a key named “meow.”
– The malicious scripts uploaded the Base64-encoded keys to an attacker-controlled GitHub repository and were also found to execute a script capable of launching the Mimikatz hacking tool.
– The incident highlights the ongoing threat of cybercriminals using open source package managers and related infrastructure for malicious software supply chain campaigns targeting development and end-user organizations.

These are some of the key points from the meeting notes regarding the Newsroom Software Security / Supply Chain discussion.

Full Article