"The poisoned package, chalk-tempalte, masquerades as an extension for the popular JavaScript terminal string styling library Chalk. It now contains a clone of Shai-Hulud, which TeamPCP published last week on GitHub after poisoning more than 170 npm packages with the credential-stealing malware as part of the ongoing supply chain attacks targeting open source dev tools."
"Plus, the same scumbag that uploaded the worm to chalk-tempalte also published three other malicious npm packages - @deadcode09284814/axios-util, axois-utils, and color-style-utils - containing infostealer code, according to Ox security researchers, which detected and reported the malware over the weekend."
""The four malwares are inherently different, as the collected data varies between them, including exfiltrated IP addresses, cloud configurations, crypto wallets, environment variables, and even one malware turning the victim's machine into a DDoS botnet - all from the same npm user," researcher Moshe Siman Tov Bustan wrote on Sunday."
""The use of lhr.life is a clear indicator of a reverse proxy used to expose an internal network to the internet," they wrote in an email, adding that the miscreant(s) seem to be financially motivated as the code targets victims' cryptocurrency wallets and accounts."
A malicious npm package named chalk-tempalte masquerades as an extension for the Chalk JavaScript terminal styling library. The package contains a clone of Shai-Hulud, a credential-stealing malware previously published after poisoning more than 170 npm packages. The same npm user also published three additional malicious packages, including axios-util, axois-utils, and color-style-utils, each containing infostealer code. The malware variants collect different data, including exfiltrated IP addresses, cloud configurations, crypto wallets, environment variables, and one component that turns infected machines into a DDoS botnet. Weekly downloads total 2,678, and researchers report the campaign likely ran from a home computer or local server farm using a reverse proxy to expose internal networks. The targeting of cryptocurrency wallets suggests financial motivation, while the DDoS capability may indicate other affiliations.
Read at theregister
Unable to calculate read time
Collection
[
|
...
]