Cybersecurity

The npm and PyPI Heist: When Code Repos Turn Into Spy Agencies

By TFH,

Published on Sep 27, 2023   —   3 min read

Summary

Greetings, cyber sleuths and code wranglers! Buckle up, because we're diving into a story that's got more twists and turns than a JavaScript callback function. Our friends at Phylum have stumbled upon a multi-ecosystem campaign that's sneakier than a ninja in a dark room.

The Plot Thickens: A Tale of Sensitive Data Exfiltration

Greetings, cyber sleuths and code wranglers! Buckle up, because we're diving into a story that's got more twists and turns than a JavaScript callback function. Our friends at Phylum have stumbled upon a multi-ecosystem campaign that's sneakier than a ninja in a dark room. This bad boy aims to exfiltrate sensitive machine information to a remote server. And guess what? It's still ongoing! So, let's break it down, shall we?

The Genesis Block: How It All Began

On a seemingly ordinary day, September 12, 2023, Phylum's automated risk detection platform rang the alarm bells. A package with the mysterious name of [REDACTED] appeared on npm and PyPI. It contained just four files, including an obfuscated index.js. Ah, obfuscation, the dark art of making your code look like alphabet soup!

Deobfuscating the file revealed an attempt to exfiltrate sensitive data like kubeconfig files and SSH keys to a remote URL. Over the next two weeks, 46 publications were distributed among 39 distinct packages. It's like the attacker was trying to build the Avengers of malicious packages!

This post is for subscribers only

Subscribe now and have access to all our stories, enjoy exclusive content and stay up to date with constant updates.

Subscribe

Already have an account? Sign in

Share on Facebook Share on Linkedin Share on Twitter Send by email

Subscribe to the newsletter

Subscribe to the newsletter for the latest news and work updates straight to your inbox, every week.

Subscribe