Everyday is lazarus.dayβ

Fake Developer Jobs Laced With Malware

2024-02-20, Phylum


Fake Developer Jobs Laced With Malware
Phylum continues to discover malware polluting open-source ecosystems. In this blog post, we take a deep-dive into an
npm package trying to masquerade as code profiler which actually installs several malicious scripts including a cryptocurrency and credential stealer. Curiously, the attacker attempted to hide the malicious code in a test file, presumably thinking that no one would bother to look for malware in test code. Along the way, we point out critical mistakes made by the attacker that helped to link this package to some suspect repositories on GitHub that Phylum is continuing to investigate.
npmpackage takedowns. Details below. Details below.
Spoofing a legitimate package
On 5 Feb 2024, an
npm user named
nino1234 published
execution-time-async version 1.4.1. A cursory inspection of the code shows the similarity between this package and
execution-time version 1.4.1 which is a “node.js utility to measure execution time in code” and which has over 27K weekly downloads. (As …