Two malicious packages discovered in the npm package registry leverage GitHub to store Base64-encrypted SSH keys stolen from the systems of developers who installed them.
Mods named warbeast2000 and kodiak2k were released earlier this month and attracted 412 and 1,281 downloads respectively before being removed by npm maintainers. The most recent download occurred on January 21, 2024.
ReversingLabs, the software supply chain security company that discovered the issue, said there are eight different versions of warbeast2000 and more than 30 versions of kodiak2k.
Both mods are designed to run a post-install script upon installation, which is designed to retrieve and execute two different JavaScript archives.
When warbeast2000 attempts to access a private SSH key, kodiak2k aims to look for a key named “meow”, which increases the possibility that threat actors are using placeholder names in the early stages of development.
Security researcher Lucija Valentić said: “The second stage of the malicious script reads
Later versions of kodiak2k were found to execute scripts found in the archived GitHub project hosting the Empire post-development framework. This script launches the Mimikatz hacking tool and dumps credentials from process memory.
“This campaign is just the latest example of cybercriminals and malicious actors leveraging open source kit managers and related infrastructure to support malware supply chain campaigns targeting development and end-user organizations,” Valentić said.
