An unknown threat actor is leveraging malicious npm packages to target developers with an aim to steal source code and configuration files from victim machines, a sign of how threats lurk consistently in open-source repositories.
“The threat actor behind this campaign has been linked to malicious activity dating back to 2021,” software supply chain security firm Checkmarx said in a report shared with The Hacker News. “Since then, they have continuously published malicious packages.”
The latest report is a continuation of the same campaign that Phylum disclosed at the start of the month in which a number of npm modules were engineered to exfiltrate valuable information to a remote server.
The packages, by design, are configured to execute immediately post-installation by means of a postinstall hook defined in the package.json file. It triggers the launch of preinstall.js, which spawns index.js to capture the system metadata as well as harvest source code and secrets from specific directories.
The attack culminates with the script creating a ZIP archive of the data and transmitting it to a predefined FTP server.
A common trait that connects all the packages is the use of “lexi2” as the author in the package.json file, enabling Checkmarx to trace the origins of the activity as far back as 2021.
While the exact goals of the campaign are unclear, the use of package names such as binarium-client, binarium-crm, and rocketrefer suggest that the targeting is geared towards the cryptocurrency sector.
“The cryptocurrency sector remains a hot target, and it’s important to recognize that we’re not just grappling with malicious packages, but also persistent adversaries whose continuous and meticulously planned attacks date back months or even years,” security researcher Yehuda Gelb said.