Cybersecurity researchers have uncovered a year-long software supply chain attack involving a malicious npm package named @0xengine/xmlrpc, which was designed to steal sensitive data and mine cryptocurrency. The attack leveraged both direct installations and hidden dependencies to infiltrate systems.
Initially published on October 2, 2023, as a JavaScript-based XML-RPC server and client for Node.js, the package appeared benign, accumulating 1,790 downloads. However, malicious functionality was introduced the following day in version 1.3.4. This version enabled the package to exfiltrate critical system data such as SSH keys, environment variables, bash history, and system metadata every 12 hours via services like Dropbox and file.io.
The discovery, made by Checkmarx, revealed that the attack spread through two key methods:
- Direct Installation: Developers downloaded the package directly from the npm registry.
- Hidden Dependencies: The package was embedded in the dependencies of a GitHub project named yawpp (“Yet Another WordPress Poster”), a tool claiming to automate WordPress post creation. When users installed yawpp, the malicious npm package was automatically downloaded and executed.
It’s unclear if the yawpp tool’s developer knowingly included the malicious dependency. The tool’s repository has only been forked once as of this report, yet it demonstrates how attackers exploit trusted package dependencies to distribute malware effectively.
Malicious Behavior
Once installed, the malware performs the following actions:
- Data Collection: Gathers system details and exfiltrates them to remote services.
- Persistence: Establishes persistence on the host system using systemd.
- Cryptocurrency Mining: Deploys the XMRig miner to mine Monero cryptocurrency.
- Process Monitoring: Terminates mining processes if user monitoring tools (e.g., top, iostat) are detected or suspends mining during user activity.
As many as 68 systems have been compromised, actively mining cryptocurrency for the attackers’ Monero wallet.
Expert Insights
“This incident highlights the ongoing risks in the software supply chain,” said Yehuda Gelb, a Checkmarx security researcher. “Even well-maintained packages can be compromised, requiring developers to stay vigilant during both initial adoption and subsequent updates.”
This revelation coincides with another campaign uncovered by Datadog Security Labs. Attackers used counterfeit packages on npm and PyPI to distribute stealer malware, Blank-Grabber and Skuld Stealer. Dubbed MUT-8694, the threat cluster employed typosquatting techniques and targeted platforms like Roblox.
Datadog identified 18 malicious npm packages and 39 on PyPI as part of this campaign. The libraries mimicked legitimate ones to deceive developers. “The persistence and scale of MUT-8694 underscore the growing threat to software developers,” Datadog researchers noted.
These findings serve as a critical reminder of the importance of scrutinizing package dependencies to protect systems from software supply chain attacks.
