Operation Brainleeches: Malicious npm packages fuel supply chain and phishing attacks
Contents
Executive Summary
ReversingLabs researchers recently discovered more than a dozen malicious packages published to the npm open source repository that appear to target application end users while also supporting email phishing campaigns targeting Microsoft 365 users. Some key takeaways from our report:
- The discovery may be the first "dual use" campaign in which malicious open source packages power both commodity phishing attacks and higher-end software supply chain compromises.
- The malicious npm packages were discovered in two tranches: One supported phishing attacks that harvested user data with phony Microsoft.com login forms launched from malicious email attachments. The other was intended to implant credential harvesting scripts in applications that inadvertently incorporate the npm packages.
- The malicious packages were posted to npm between May 11 and June 13. They mimic legitimate npm modules, notably jquery, which has about 7 million weekly downloads.
- The malicious packages were downloaded around 1,000 times in total, but were …
ReversingLabs researchers recently discovered more than a dozen malicious packages published to the npm open source repository that appear to target application end users while also supporting email phishing campaigns targeting Microsoft 365 users. Some key takeaways from our report:
- The discovery may be the first "dual use" campaign in which malicious open source packages power both commodity phishing attacks and higher-end software supply chain compromises.
- The malicious npm packages were discovered in two tranches: One supported phishing attacks that harvested user data with phony Microsoft.com login forms launched from malicious email attachments. The other was intended to implant credential harvesting scripts in applications that inadvertently incorporate the npm packages.
- The malicious packages were posted to npm between May 11 and June 13. They mimic legitimate npm modules, notably jquery, which has about 7 million weekly downloads.
- The malicious packages were downloaded around 1,000 times in total, but were …
IoC
0b4247bf806e33d8d02b8051224d2d110a2b4f19
10b0c28cac9375cae74464343309a85d74687d9e
121b10560f54d7767d250e15deb4aff89b577d03
137.184.153.238
33d1401651e16db2031b597a2a7ac36dfd2a7a27
3eb67cdd1d992db9fa11c924273eef31c315fe8c
47c8cd0a9203cb388e7cf865d3493da91f408ae0
4b938ea813c9be1feb95fcec52991b5ba8ee88fb
4fd665a5c610a30528417ea0e201e0c4f946f5fc
5448aa6902a98308836cca6a3ac6e30ede074e8b
6c2d2d3c2e68bf3df88a41033a536d16c59c2f9d
6c315b0907ce516d8b9c12d9609c752ff2107d88
93027a2aa009502ce1992c851d4551573cb90b94
b29ae6894064b761522e0fffae3c6ae31c6b6604
d186505f2fecf7c959f7f0441cf4a221bbbbe41c
http://ourwhite.brainleeches.xyz
10b0c28cac9375cae74464343309a85d74687d9e
121b10560f54d7767d250e15deb4aff89b577d03
137.184.153.238
33d1401651e16db2031b597a2a7ac36dfd2a7a27
3eb67cdd1d992db9fa11c924273eef31c315fe8c
47c8cd0a9203cb388e7cf865d3493da91f408ae0
4b938ea813c9be1feb95fcec52991b5ba8ee88fb
4fd665a5c610a30528417ea0e201e0c4f946f5fc
5448aa6902a98308836cca6a3ac6e30ede074e8b
6c2d2d3c2e68bf3df88a41033a536d16c59c2f9d
6c315b0907ce516d8b9c12d9609c752ff2107d88
93027a2aa009502ce1992c851d4551573cb90b94
b29ae6894064b761522e0fffae3c6ae31c6b6604
d186505f2fecf7c959f7f0441cf4a221bbbbe41c
http://ourwhite.brainleeches.xyz