The Plot Thickens: A Tale of Sensitive Data Exfiltration
Greetings, cyber sleuths and code wranglers! Buckle up, because we're diving into a story that's got more twists and turns than a JavaScript callback function. Our friends at Phylum have stumbled upon a multi-ecosystem campaign that's sneakier than a ninja in a dark room. This bad boy aims to exfiltrate sensitive machine information to a remote server. And guess what? It's still ongoing! So, let's break it down, shall we?
The Genesis Block: How It All Began
On a seemingly ordinary day, September 12, 2023, Phylum's automated risk detection platform rang the alarm bells. A package with the mysterious name of [REDACTED] appeared on npm and PyPI. It contained just four files, including an obfuscated index.js
. Ah, obfuscation, the dark art of making your code look like alphabet soup!
Deobfuscating the file revealed an attempt to exfiltrate sensitive data like kubeconfig
files and SSH keys to a remote URL. Over the next two weeks, 46 publications were distributed among 39 distinct packages. It's like the attacker was trying to build the Avengers of malicious packages!