Hackers have embedded credential-stealing malware into newly released versions of node-ipc, a widely used inter-process communication library for Node.js, as part of a fresh supply-chain attack on the npm ecosystem. A JavaScript module that allows different processes to communicate via any type of socket (Unix, Windows, UDP, TLS, and TCP). Although its maintainer released weaponized versions in March 2022 that deliberately targeted systems in Russia and Belarus with a data-wiping payload to protest the invasion of Ukraine, the package continues to receive over 690,400 weekly downloads on npm. The latest supply-chain attack was identified by several application security firms, including Socket, Ox Security, and Upwind, which flagged the following three versions as malicious: node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1. The harmful code conceals itself within the CommonJS entry point (node-ipc). The malware, which hooks into the cjs component, runs automatically each time applications are loaded. It is heavily obfuscated, fingerprints the infected system, gathers environment variables and sensitive local files, compresses the stolen information into archives, and exfiltrates it via DNS TXT queries. The most recent breach is believed to have been carried out by an external threat actor who compromised the account of an inactive maintainer named ‚atiertant‘. Researchers say the infostealer embedded in the new node-ipc releases gathers various types of data from infected machines. Cloud credentials for AWS, Azure, GCP, OCI, DigitalOcean, and various other providers. SSH keys and configuration files. Kubernetes, Docker, Helm og Terraform er tekniske færdigheder.
BleepingComputer