Researchers at ReversingLabs have discovered a typosquatting campaign on the npm platform . This campaign involved a deceptive package called “node-hide-console-windows” that closely imitated the legitimate package “node-hide-console-window.” The rogue package managed to deceive users and was downloaded approximately 704 times over the past two months before being taken down.
The rogue package deployed an open-source rootkit known as “r77,” which allowed it to disguise files and processes. It also downloaded a Discord bot called DiscordRAT 2.0 , enabling threat actors to remotely control a victim’s host through Discord and gather sensitive data. Additionally, the package included a payload disguised as a visual code update , but was actually a Python 3 info-stealer called Blank-Grabber .
This incident highlights the risks associated with open-source software and the ease with which malicious behavior can be concealed . The campaign utilized freely available components    , making it simple for threat actors to execute supply chain attacks  . The actors behind this campaign went to great lengths to create multiple versions of the malicious package, closely resembling the legitimate package they were imitating . This discovery marks the first time a package with rootkit capabilities has been identified , indicating a growing trend of utilizing open-source projects for distributing malware .
The malicious code within the package’s index.js file executed an executable that introduced a C#-based open-source trojan known as DiscordRAT 2.0 . This trojan allowed threat actors to remotely control the victim’s host via Discord and included features for collecting sensitive data and disabling security software . The r77 rootkit       , which can be triggered on the compromised system using a unique instruction , has been previously used in harmful campaigns, including the distribution of the SeroXen trojan and crypto miners . Additionally, the rogue package also fetched an open-source information stealer called Blank-Grabber   .
Developers must exercise caution when installing packages from open-source repositories    , as threat actors can easily exploit freely available components for their attacks . The rogue package meticulously mimicked the legitimate package’s npm page and created multiple versions to deceive unsuspecting users . This trend underscores the need for caution and careful consideration when utilizing open-source packages.
This typosquatting campaign on the npm platform has significant implications. It highlights the importance of remaining vigilant and exercising caution when installing packages from open-source repositories. Developers must be aware of the risks associated with open-source software and the ease with which malicious behavior can be concealed. Mitigations should include thorough verification of package sources and careful consideration of the components used. The discovery of a package with rootkit capabilities indicates a growing trend of utilizing open-source projects for distributing malware, emphasizing the need for ongoing vigilance and security measures in the open-source community.