The Plot Thickens: A Tale of Sensitive Data Exfiltration
The Genesis Block: How It All Began
On a seemingly ordinary day, September 12, 2023, Phylum's automated risk detection platform rang the alarm bells. A package with the mysterious name of [REDACTED] appeared on npm and PyPI. It contained just four files, including an obfuscated
index.js. Ah, obfuscation, the dark art of making your code look like alphabet soup!
Deobfuscating the file revealed an attempt to exfiltrate sensitive data like
kubeconfig files and SSH keys to a remote URL. Over the next two weeks, 46 publications were distributed among 39 distinct packages. It's like the attacker was trying to build the Avengers of malicious packages!