Cybersecurity researchers at Phylum have identified a new campaign distributing malicious packages on the npm open-source software registry. The packages were engineered to deploy a sophisticated, Rust-based information stealer capable of targeting Windows, Linux, and macOS operating systems. The discovery highlights the ongoing threat of software supply chain attacks targeting developers who rely on public package repositories.

The threat actors published two primary packages, ‘warbeast-gtm’ and ‘warbeast-gts’, which contained malicious code executed upon installation. This was achieved through a ‘postinstall’ script defined in the package.json file, a common attack vector in the npm ecosystem. Once a developer installed one of the malicious packages, the script would trigger the download and execution of a specific payload tailored to the user’s operating system.

Cross-Platform Payload Delivery

The attack was designed for broad impact across different development environments. The installation script checked the host operating system and fetched the corresponding malicious binary. For Windows systems, it downloaded an executable (.exe) file. For Linux, it retrieved an ELF binary, and for macOS, it fetched a Mach-O executable. This multi-platform approach ensured the infostealer could compromise a wide range of developer machines, regardless of their preferred OS. The packages were swiftly removed from the npm registry after their discovery, but any systems where they were installed remain at risk.

Infostealer Capabilities and Data Exfiltration

The Rust-based malware executed by the packages is a potent information stealer. Upon execution, it systematically scans the compromised system for sensitive data. Its targets include information stored in web browsers, cryptocurrency wallets, and password management applications. The malware also collects system information, such as hostname, username, and OS version. All the stolen data is then exfiltrated to the attacker’s command-and-control server. This type of data theft provides threat actors with credentials, financial information, and other personal details that can be used for further malicious activities.

Source: https://www.bleepingcomputer.com/news/security/malicious-npm-packages-fetch-infostealer-for-windows-linux-macos/