Well-liked node-ipc npm bundle compromised to scouse borrow credentials

Hackers have injected credential-stealing malware into newly revealed variations of node-ipc, a well-liked inter-process conversation bundle, in a brand new delivery chain assault focused on npm.

The node-ipc bundle is a Node.js module that allows more than a few processes to be in contact thru all sorts of sockets, together with Unix, Home windows, UDP, TLS, and TCP.

Regardless of the maintainer publishing in March 2022 weaponized variations that centered Russia and Belarus-based methods with a data-overwriting module, in protest to the Russian invasion of Ukraine, the bundle nonetheless has greater than 690,000 weekly downloads on npm.

The hot supply-chain assault was once detected by means of more than one utility safety corporations, together with Socket, Ox Safety, and Upwind, who showed the next 3 variations as malicious:

• node-ipc@9.1.6
• node-ipc@9.2.3
• node-ipc@12.0.1

The malicious code hides within the CommonJS entrypoint (node-ipc.cjs) and executes robotically on every occasion packages are loaded.

The malware is closely obfuscated and fingerprints inflamed methods, collects atmosphere variables and delicate native recordsdata, compresses the stolen records into archives, and exfiltrates it thru DNS TXT queries.

The newest compromise seems to be the paintings of an exterior actor who compromised the account of an inactive maintainer named ‘atiertant.’

In line with the researchers, the infostealer injected within the new node-ipc variations collects the next varieties of data from compromised methods:

• Cloud credentials from AWS, Azure, GCP, OCI, DigitalOcean, and others
• SSH keys and SSH configs
• Kubernetes, Docker, Helm, and Terraform credentials
• npm, GitHub, GitLab, and Git CLI tokens
• .env recordsdata and database credentials
• Shell histories and CI/CD secrets and techniques
• macOS Keychain recordsdata and Linux keyrings
• Firefox profile and key database recordsdata (on macOS)
• Microsoft Groups native garage and IndexedDB paths

The malware skips recordsdata better than 4 MiB and avoids scanning .git and node_modules directories to extend potency and cut back operational noise at the host.

A notable operational function is using DNS TXT queries as a substitute of standard HTTP-based command-and-control (C2) site visitors for records exfiltration. The attackers use a pretend Azure-themed area (sh[.]azurestaticprovider[.]web:443) as a bootstrap resolver, transmitting the information to ‘bt[.]node[.]js’ with question prefixes like xh, xd, and xf.

In line with Socket, exfiltrating a 500 KB compressed archive may just generate more or less 29,400 DNS TXT requests, serving to the site visitors mix into customary DNS process.

Previous to submission, the malware retail outlets accrued records in brief compressed tar.gz archives, that are deleted after exfiltration to scale back forensic strains.

The malware does now not identify patience or obtain any secondary payloads, so the operation seems inquisitive about fast credential robbery and exfiltration.

Probably impacted builders will have to in an instant take away the affected variations, rotate uncovered secrets and techniques and credentials, and check out lockfiles and npm caches.