urlscan.io logo urlscan.io
SecurityTrails logo

thehackernews.com Open in urlscan Pro
2606:4700:20::681a:b75  Public Scan

Back to summary
URL: https://thehackernews.com/2024/11/xmlrpc-npm-library-turns-malicious.html
Submission: On December 12 via api from IN — Scanned from US

Form analysis 2 forms found in the DOM

GET https://www.google.com/cse

<form action="https://www.google.com/cse" id="searchform" method="get"><input autocomplete="off" id="s" name="q" placeholder="Search Here..." type="text">
  <input name="cx" type="hidden" value="partner-pub-7983783048239650:3179771210">
</form>

Name: f1POST https://inl02.netline.com/rssnews0001/

<form action="https://inl02.netline.com/rssnews0001/" class="clear cf" id="subform" method="post" name="f1" target="_blank">
  <div class="email-box-h3">Get Latest News in Your Inbox</div>
  <p>Get the latest news, expert insights, exclusive resources, and strategies from industry leaders – all for free.</p>
  <div class="email-input">
    <input name="_submit" type="hidden" value="0001">
    <input id="brand" name="brand" type="hidden" value="thehackernews">
    <div class="e-book"><input checked="yes" id="opt_001" name="opt_001" type="checkbox" value="Y"><input checked="yes" id="opt_003" name="opt_003" type="checkbox" value="Y"></div><label class="visuallyhidden" for="input-email">Email</label><input
      class="text" id="input-email" name="email" placeholder="Your e-mail address" required="" type="email">
    <button aria-label="Subscribe" id="submitform" type="submit" value="Subscribe"></button>
  </div>
</form>

Text Content

#1 Trusted Cybersecurity News Platform

Followed by 5.20+ million  


 Subscribe – Get Latest News
 *  Home
 *  Newsletter
 *  Webinars

 * Home
 * Data Breaches
 * Cyber Attacks
 * Vulnerabilities
 * Webinars
 * Expert Insights
 * Contact





Resources
 * Webinars
 * THN Store
 * Free eBooks

About Site
 * About THN
 * Jobs
 * Advertise with us


Contact/Tip Us

Reach out to get featured—contact us to send your exclusive story idea,
research, hacks, or ask us a question or leave a comment/feedback!

Follow Us On Social Media
    
 RSS Feeds  Email Alerts  Telegram Channel



XML-RPC NPM LIBRARY TURNS MALICIOUS, STEALS DATA, DEPLOYS CRYPTO MINER

Nov 28, 2024Ravie LakshmananSoftware Security / Data Breach

Cybersecurity researchers have discovered a software supply chain attack that
has remained active for over a year on the npm package registry by starting off
as an innocuous library and later adding malicious code to steal sensitive data
and mine cryptocurrency on infected systems.

The package, named @0xengine/xmlrpc, was originally published on October 2, 2023
as a JavaScript-based XML-RPC server and client for Node.js. It has been
downloaded 1,790 times to date and remains available for download from the
repository.

Checkmarx, which discovered the package, said the malicious code was
strategically introduced in version 1.3.4 a day later, harboring functionality
to harvest valuable information such as SSH keys, bash history, system metadata,
and environment variables every 12 hours, and exfiltrate it via services like
Dropbox and file.io.



"The attack achieved distribution through multiple vectors: direct npm
installation and as a hidden dependency in a legitimate-looking repository,"
security researcher Yehuda Gelb said in a technical report published this week.

The second approach involves a GitHub project repository named yawpp (short for
"Yet Another WordPress Poster") that purports to be a tool designed to
programmatically create posts on the WordPress platform.

Its "package.json" file lists the latest version of @0xengine/xmlrpc as a
dependency, thereby causing the malicious npm package to be automatically
downloaded and installed when users attempt to set up the yawpp tool on their
systems.

It's currently not clear if the developer of the tool deliberately added this
package as a dependency. The repository has been forked once as of writing.
Needless to say, this approach is another effective malware distribution method
as it exploits the trust users place in package dependencies.

Once installed, the malware is designed to collect system information, establish
persistence on the host through systemd, and deploy the XMRig cryptocurrency
miner. As many as 68 compromised systems have been found to actively mine
cryptocurrency through the attacker's Monero wallet.

Furthermore, it's equipped to constantly monitor the list of running processes
to check for the presence of commands like top, iostat, sar, glances, dstat,
nmon, vmstat, and ps, and terminate all mining-related processes if found. It's
also capable of suspending mining operations if user activity is detected.

"This discovery serves as a stark reminder that a package's longevity and
consistent maintenance history do not guarantee its safety," Gelb said. "Whether
initially malicious packages or legitimate ones becoming compromised through
updates, the software supply chain requires constant vigilance – both during
initial vetting and throughout a package's lifecycle."

The disclosure comes as Datadog Security Labs uncovered an ongoing malicious
campaign targeting Windows users that uses counterfeit packages uploaded to both
npm and the Python Package Index (PyPI) repositories with the end goal of
deploying open-source stealer malware known as Blank-Grabber and Skuld Stealer.



The company, which detected the supply chain attack last month, is tracking the
threat cluster under the name MUT-8694 (where MUT stands for "mysterious
unattributed threat"), stating it overlaps with a campaign that was documented
by Socket earlier this month as aiming to infect Roblox users with the same
malware.

As many as 18 and 39 phony unique packages have been uploaded to npm and PyPI,
with the libraries attempting to pass off as legitimate packages through the use
of typosquatting techniques.

"The use of numerous packages and involvement of several malicious users
suggests MUT-8694 is persistent in their attempts to compromise developers,"
Datadog researchers said. "Contrary to the PyPI ecosystem, most of the npm
packages had references to Roblox, an online game creation platform, suggesting
that the threat actor is targeting Roblox developers in particular."


UPDATE#

The GitHub repository for the yawpp tool and its associated account are no
longer accessible.



Found this article interesting? Follow us on Twitter  and LinkedIn to read more
exclusive content we post.

SHARE    
Tweet
Share
Share
Share
 Share on Facebook Share on Twitter Share on Linkedin Share on Reddit
Share on Hacker News Share on Email Share on WhatsApp Share on Facebook
Messenger Share on Telegram
SHARE 
cryptocurrencycybersecuritydata breachGitHubJavaScriptMalwareNPMsoftware
securitySupply Chain
Trending News
Protecting Tomorrow's World: Shaping the Cyber-Physical Future
How to Plan a New (and Improved!) Password Policy for Real-World Security
Challenges
U.S. Charges Chinese Hacker for Exploiting Zero-Day in 81,000 Sophos Firewalls
The Future of Network Security: Automated Internal and External Pentesting
Hackers Leveraging Cloudflare Tunnels, DNS Fast-Flux to Hide GammaDrop Malware
Microsoft MFA AuthQuake Flaw Enabled Unlimited Brute-Force Attempts Without
Alerts
Microsoft Fixes 72 Flaws, Including Patch for Actively Exploited CLFS
Vulnerability
Researchers Uncover Flaws in Popular Open-Source Machine Learning Frameworks
Chinese EagleMsgSpy Spyware Found Exploiting Mobile Devices Since 2017
New Malware Technique Could Exploit Windows UI Framework to Evade EDR Tools
Researchers Uncover Espionage Tactics of China-Based APT Groups in Southeast
Asia
Show More
Popular Resources
How to Get a Full Penetration Test Done in Days – See How It Works!
[Watch] From Risk to ROI: The Strategic Value of Security Validation
Backupify — The Backup Solution: Encrypted, Unlimited, Reliable
Simplify IT Backup and Recovery — Experience Unitrends Live


CYBERSECURITY WEBINARS

Proven PAS Strategies


LEARN HOW EXPERTS SECURE PRIVILEGED ACCOUNTS

Discover proven strategies to secure privileged accounts and prevent escalation
in this expert-led webinar.

Claim Your Spot Learn from a CISO


UNDERSTANDING BLIND SPOTS IN ADVANCED SECURITY SYSTEMS

Learn why top organizations with advanced solutions still face breaches and how
to fortify your defenses.

Secure Your Webinar Access
Breaking News

Cybersecurity Resources
Safeguard Your Sensitive Data Against Evolving Threats
Learn key strategies to secure your SaaS environment.
Your Security Checklist for AI-Powered SaaS
The report covers AI SaaS risks like data usage, T&Cs, and compliance, plus a
security checklist.
Earn a Master's in Cybersecurity Risk Management
Lead the future of cybersecurity risk management with an online Master's from
Georgetown.
Cloud Risk Self-Assessment Checklist
Ready to secure your cloud? Easily evaluate and uncover cloud risk with this
simple checklist to help strengthen your security posture.
Expert Insights / Articles Videos


5 STRATEGIES TO COMBAT RANSOMWARE AND ENSURE DATA SECURITY IN MICROSOFT 365

December 2, 2024 Read ➝


SECURING OPEN SOURCE: LESSONS FROM THE SOFTWARE SUPPLY CHAIN REVOLUTION

December 2, 2024 Read ➝


DEFENSIBLE SECURITY ARCHITECTURE AND ENGINEERING: DESIGNING AND BUILDING
DEFENSES FOR THE FUTURE

November 25, 2024 Read ➝


BREATHING NEW LIFE INTO A STAGNANT APPSEC

November 14, 2024 Read ➝

Get Latest News in Your Inbox

Get the latest news, expert insights, exclusive resources, and strategies from
industry leaders – all for free.


Email

Connect with us!

925,500 Followers

610,100 Followers

22,800 Subscribers

145,000 Followers

1,890,500 Followers

138,5000 Subscribers
Company
 * About THN
 * Advertise with us
 * Contact

Pages
 * Webinars
 * Deals Store
 * Privacy Policy

Deals
 * Hacking
 * Development
 * Android

 RSS Feeds
 Contact Us
© The Hacker News, 2024. All Rights Reserved.