Recent cybersecurity research has uncovered hidden backdoor codes in two npm packages, img-aws-s3-object-multipart-copy and legacyaws-s3-object-multipart-copy [1] [2] [3] [4] [5], enabling remote command execution.

Description

Disguised as legitimate npm libraries [3], these packages contained a concealed JavaScript file named loadformat.js that allowed for command and control functionality within image files. Targeting logos from Intel, Microsoft [2] [3] [4], and AMD [2] [3] [4], the malicious code extracted and executed harmful content, establishing communication with a command-and-control server to issue commands and exfiltrate data. Both packages were swiftly removed from the npm registry to prevent further harm [1], highlighting the increasing sophistication of malicious packages in open source ecosystems [3] [4].

Conclusion

This incident underscores the importance of vigilance when utilizing libraries and the necessity of thoroughly vetting all components and packages to protect against potential threats. It also emphasizes the need for continuous monitoring and proactive measures to mitigate risks and safeguard against future cybersecurity breaches.

References

[1] https://www.krofeksecurity.com/uncovering-hidden-threats-malicious-npm-packages-exploiting-image-files/
[2] https://arstechnica.com/security/2024/07/code-sneaked-into-fake-aws-downloaded-hundreds-of-times-backdoored-dev-devices/
[3] https://thehackernews.com/2024/07/malicious-npm-packages-found-using.html
[4] https://dknewsbuzz.com/malicious-npm-packages-found-using-image-files-to-hide-backdoor-code/
[5] https://www.redpacketsecurity.com/malicious-npm-packages-found-using-image-files-to-hide-backdoor-code/