Everyday is lazarus.dayβ

Crypto-Themed npm Packages Found Delivering Stealthy Malware

2023-11-04, Phylum
#SupplyChain #NPM


Crypto-Themed npm Packages Found Delivering Stealthy Malware
On October 30, 2023 Phylum’s automated risk detection platform alerted us to a strange publication to npm called
puma-com. Upon investigation, we found a very convoluted attack chain that ultimately pulled a remote file, manipulated it in place, called an exported function from that file, and then meticulously covered its tracks by removing and renaming files all along the way. Since then we’ve been tracking four additional packages belonging to this campaign as well. We are currently reverse engineering the DLL, but it hits on 20 vendors on VirusTotal so we’re sure it’s up to no good. Join us as we unravel this convoluted attack.
What’s clever about this attack is that if you install this package and then go take a look at its contents you won’t see any malware. That’s because the installation of the package itself triggers not only the malware deployment, but …