Malware Reports
Beware: 3 Malicious PyPI Packages Found Targeting Linux with Crypto Miners
- https://thehackernews.com/2024/01/beware-3-malicious-pypi-packages-found.html
- Updated At1704348000000
- AuthorJan 04, 2024Newsroom
Beware of hidden dangers in open-source libraries. Three new malicious PyPI packages found deploying cryptocurrency miners.
Developer Alert: NPM Packages for Node.js Hiding Dangerous TurkoRat Malware
- https://thehackernews.com/2023/05/developer-alert-npm-packages-for-nodejs.html
- AuthorRavie Lakshmanan
Two npm packages, nodejs-encrypt-agent and nodejs-cookie-proxy-agent, were found to harbor the TurkoRat malware.
Fresh Wave of Malicious npm Packages Threaten Kubernetes Configs and SSH Keys
- https://thehackernews.com/2023/09/fresh-wave-of-malicious-npm-packages.html
- Updated At1695186000000
- AuthorSep 20, 2023THN
Beware of npm imposters! 14 fraudulent packages found in the registry, posing as legit tools. They aim to steal your Kubernetes configs and SSH keys.
Malicious NPM Packages Exfiltrate Hundreds of Developer SSH Keys via GitHub
- https://thehackernews.com/2024/01/malicious-npm-packages-exfiltrate-1600.html
- Updated At1705989600000
- AuthorJan 23, 2024Newsroom
Did you download Warbeast2000 or Kodiak2k from npm? If so, your SSH keys might be compromised! These packages steal keys & upload them to GitHub.
More Than 200 Cryptomining Packages Flood npm and PyPI Registry
More than 200 malicious packages have flooded npm and PyPI registries to install cryptominers on Linux hosts.
New Ongoing Campaign Targets npm Ecosystem with Unique Execution Chain
- https://thehackernews.com/2023/06/new-ongoing-campaign-targets-npm.html
- Updated At1687928400000
- AuthorJun 27, 2023Ravie Lakshmanan
New npm attack discovered! Cybersecurity researchers find an ongoing campaign with a unique execution chain.
NPM packages posing as speed testers install crypto miners instead
- https://www.bleepingcomputer.com/news/security/npm-packages-posing-as-speed-testers-install-crypto-miners-instead/
- AuthorBill Toulas
A new set of 16 malicious NPM packages are pretending to be internet speed testers but are, in reality, coinminers that hijack the compromised computer's resources to mine cryptocurrency for the threat actors.
Over a Dozen Malicious npm Packages Target Roblox Game Developers
- https://thehackernews.com/2023/08/over-dozen-malicious-npm-packages.html
- Updated At1692766800000
Malicious packages on the npm repository have been found. These imposters are deploying Luna Token Grabber malware.
Rogue npm Package Deploys Open-Source Rootkit in New Supply Chain Attack
- https://thehackernews.com/2023/10/rogue-npm-package-deploys-open-source.html
- Updated At1696395600000
- AuthorOct 04, 2023THN
⚠️ Watch out, developers! A rogue rootkit named r77 has been found in a deceptive npm package. This is the first-ever case of a package delivering a r
Typosquatting campaign delivers r77 rootkit via npm
- https://www.reversinglabs.com/blog/r77-rootkit-typosquatting-npm-threat-research
- AuthorLucija Valentić
One “s” is all that separates a legitimate npm package from a malicious twin that delivered the r77 rootkit, and was downloaded more than 700 times, ReversingLabs researchers discovered.
VMConnect: Malicious PyPI packages imitate popular open source modules
- https://www.reversinglabs.com/blog/vmconnect-malicious-pypi-packages-imitate-popular-open-source-modules
- AuthorKarlo Zanki
ReversingLabs threat researchers have identified a new malicious PyPI campaign that includes a suspicious VMConnect package published to the PyPI repo.
Obfuscated PyPI Packages Purporting to be i18n Libraries Actually Stealing Telegram Data
- https://blog.phylum.io/obfuscated-pypi-packages-purporting-to-be-i18n-libraries-actually-stealing-telegram-data/
- Published At1698728400000
- AuthorPhylum Research Team
Phylum discovered two packages published to PyPI on October 28 that claim to be libraries for simplifying internationalization. The files were highly obfuscated and upon further inspection were found to contain malicious code designed to steal sensitive Telegram Desktop application data and system information, which it then sends to an
Cloud Provider Credentials Targeted in New PyPI Malware Campaign
- https://blog.phylum.io/cloud-provider-credentials-targeted-in-new-pypi-malware-campaign/
- Published At1696827600000
- AuthorPhylum Research Team
Over the weekend, Phylum’s automated risk detection alerted us to a series of publications surrounding packages on PyPI, all purporting to be some kind of cloud provider SDK or helper package. While these packages do, in fact, provide the purported functionality, they also surreptitiously ship the credentials off to
Nascent Malware Campaign Targets npm, PyPI, and RubyGems Developers
- https://blog.phylum.io/malware-campaign-targets-npm-pypi-and-rubygems-developers/
- Published At1693803600000
- AuthorPhylum Research Team
Phylum has been extremely busy in the past few weeks, reporting on multiple malware campaigns, including malicious updates to npm packages, malware masquerading as a GCC binary, and a package containing a complicated command-and-control setup for data exfiltration. We monitor open-source ecosystems and analyze every package's source code and metadata
Dormant npm Package Update Targets Ethereum Private Keys
- https://blog.phylum.io/dormant-npm-package-update-targets-ethereum-private-keys/
- Published At1693630800000
- AuthorPhylum Research Team
On the afternoon of September 1, 2023 Phylum's automated risk detection platform flagged two new publications of the https://app.phylum.io/package/npm/hardhat-gas-report/1.1.17 package. It turns out these updates included a stealthy clipboard monitor with a persistence mechanism attempting to exfiltrate Ethereum private keys to
North Korean Hackers Suspected in New Wave of Malicious npm Packages
- https://thehackernews.com/2023/08/north-korean-hackers-suspected-in-new.html
- Published At1692075600000
- Updated At1692248400000
Nine npm packages uploaded between Aug 9-12, 2023 have caught the attention of security experts.
Sophisticated, Highly-Targeted Attacks Continue to Plague npm
- https://blog.phylum.io/sophisticated-highly-targeted-attacks-continue-to-plague-npm/?ref=software-supply-chain-attack-research-newsletter
- Published At1691730000000
- AuthorPhylum Research Team
Phylum excels at detecting and blocking software supply-chain attacks on developers and their organizations. In June, we were the first to identify North Korean state actors conducting campaigns against npm developers. Today, we unveil another targeted campaign with similar behaviors, again targeting npm. Background On August 9, 2023 Phylum’s
Typosquat of popular Ethereum package on npm sends private keys to remote server
- https://blog.phylum.io/typosquat-of-popular-ethereum-package-steals-private-keys/
- Published At1691211600000
- AuthorPhylum Research Team
On Aug 3, 2023 Phylum’s automated risk detection platform alerted us to a series of suspicious publications on npm. The attacker eventually published final versions of two packages: a typosquat of a popular cryptocurrency library and a dependency that contained the malicious code buried deep in a large file
Targeted npm Malware Attempts to Steal Company Source Code and Secrets
- https://blog.phylum.io/targeted-npm-malware-attempts-to-steal-developers-source-code-and-secrets/?ref=software-supply-chain-attack-research-newsletter
- Published At1691038800000
- Updated At1692853200000
- AuthorPhylum Research Team
This appears to be a slow, on-going attack. Since our initial report, two more packages have been identified as part of this campaign: ng-zulutrade-ssr and binarium-crm. We will provide periodic updates as we identify further publications associated with this campaign.
Targeted npm Malware Attempts to Steal Company Source Code and Secrets
- https://blog.phylum.io/targeted-npm-malware-attempts-to-steal-developers-source-code-and-secrets
- Published At1691038800000
- AuthorPhylum Research Team
On July 31, 2023, Phylum's automated risk detection platform alerted us to another series of unusual publications on npm. Within a few hours, we observed the publication of ten different "test" packages. These packages demonstrated increasing functionality and refinement as the attacker seemingly tailored the code for a specific purpose—
Phylum Discovers Sophisticated Ongoing Attack on NPM
- https://blog.phylum.io/sophisticated-ongoing-attack-discovered-on-npm/
- Published At1687496400000
- Updated At1688014800000
- AuthorPhylum Research Team
On June 11, Phylum’s automated risk detection platform alerted us to a peculiar pattern of publications on NPM. The packages in question seem to be published in pairs, each pair working in unison to fetch additional resources which are subsequently decoded and/or executed. At the time of this
Malware Civil War - Malicious npm Packages Targeting Malware Authors
- https://jfrog.com/blog/malware-civil-war-malicious-npm-packages-targeting-malware-authors/
- Published At1645509600000
- Updated At1668924000000
- AuthorJFrog Security Research Team
JFrog discovers 25 open-source npm malicious packages, including one that targets malware authors to hijack stolen Discord tokens.