July 16, 2024 at 06:19AM
Cybersecurity researchers discovered two malicious packages on the npm registry containing backdoor code for executing commands from a remote server. The packages, disguised as legitimate libraries, were taken down after being downloaded 190 and 48 times. The code was designed to execute disguised command and control functionality hidden in image files during package installation.
Key Takeaways from the Meeting Notes:
– Two malicious packages, img-aws-s3-object-multipart-copy and legacyaws-s3-object-multipart-copy, were identified on the npm package registry.
– These packages contained backdoor code disguised as image files and were designed to execute malicious commands sent from a remote server.
– The malicious packages impersonated a legitimate npm library called aws-s3-object-multipart-copy and utilized an altered version of the “index.js” file to execute a JavaScript file (“loadformat.js”).
– The backdoor code was programmed to execute attacker-issued commands periodically and exfiltrate the output back to the attacker via a specific endpoint.
– The security firm Phylum emphasized the rise in sophistication and volume of malicious packages in open source ecosystems, stressing the imperative need for vigilance in consuming open source libraries.
It is essential to remain vigilant regarding the open source libraries consumed, as highlighted by the security firm’s warning.