Security researchers from ReversingLabs recently discovered two malicious packages [8], warbeast2000 and kodiak2k [1] [2] [4] [5] [6] [8], on the npm open source package manager [2] [3] [5] [7] [8]. These packages were found to steal Base64-encrypted SSH keys from developer systems and store them on GitHub [4] [5]. This incident highlights the growing trend of cybercriminals exploiting open source package managers for their malicious software supply chain campaigns [3] [7].

Description

Warbeast2000 and kodiak2k were identified as malicious packages on the npm open source package manager. Warbeast2000 attempted to access private SSH keys [1] [2] [5], while kodiak2k specifically targeted a key named “meow.” The stolen SSH keys were uploaded to a GitHub repository controlled by the attacker. The warbeast2000 package contained malicious functionality only in its last version, while kodiak2k had over 30 versions, with later versions executing additional malicious scripts and potentially launching the Mimikatz hacking tool. Both packages were promptly reported and removed from npm by the maintainers.

This incident highlights the increasing number of malicious packages found on open source package managers. These attacks specifically target SSH keys, posing a potential risk to proprietary code. The impact of this campaign was limited [3] [7] [8], with warbeast2000 being downloaded less than 400 times and kodiak2k being downloaded around 950 times [8]. However, there is growing concern about the malicious actors’ increasing use of open source software and development infrastructure [3]. GitHub is being used to host components of malicious command-and-control infrastructure [3].

Conclusion

The discovery of these malicious packages underscores the need for developers to conduct thorough security assessments before incorporating software from package managers like npm or PyPI. While the impact of this specific incident was limited, the increasing number of malicious packages found on open source package managers is a cause for concern. It is crucial for developers to remain vigilant and take necessary precautions to protect their systems and proprietary code. The use of open source software and development infrastructure by malicious actors is a trend that requires ongoing attention and mitigation efforts.

References

[1] https://droidtuto.com/des-packages-npm-malveillants-exfiltrent-des-centaines-de-cles-ssh-de-developpeur-via-github/
[2] https://ciso2ciso.com/malicious-npm-packages-exfiltrate-hundreds-of-developer-ssh-keys-via-github-sourcethehackernews-com/
[3] https://flyytech.com/2024/01/23/malicious-npm-packages-used-to-target-github-developer-ssh-keys/
[4] https://www.linkedin.com/posts/wdevault_malicious-npm-packages-exfiltrate-hundreds-activity-7155568268882132992-xQEd
[5] https://owasp.or.id/2024/01/23/malicious-npm-packages-exfiltrate-hundreds-of-developer-ssh-keys-via-github/
[6] https://thehackernews.com/2024/01/malicious-npm-packages-exfiltrate-1600.html
[7] https://www.infosecurity-magazine.com/news/npm-packages-target-github-ssh-keys/
[8] https://securityboulevard.com/2024/01/gitgot-github-leveraged-by-cybercriminals-to-store-stolen-data/