Cybersecurity researchers have uncovered a malicious package in the npm ecosystem designed to distribute the AdaptixC2 post-exploitation framework. The package, named https-proxy-utils, successfully impersonated a legitimate utility by using a name deceptively similar to popular, trusted packages like http-proxy-agent and https-proxy-agent, which collectively have over 160 million weekly downloads. The threat actor also cloned functionality from another legitimate package, proxy-from-env, to complete the disguise.

The attack leverages a post-install script that activates after the package is installed. This script is responsible for downloading and executing the AdaptixC2 agent, a powerful tool considered an alternative to Cobalt Strike that grants attackers significant control over a compromised system.

Multi-OS Infection Vector

The malicious script is designed to be cross-platform, containing specific payload delivery methods for Windows, macOS, and Linux. This broad approach maximizes the potential victim pool for the attacker.

• Windows: The agent is deployed as a DLL file in the C:\Windows\Tasks directory. It is then executed using a DLL sideloading technique by copying and running the legitimate msdtc.exe file from the same location.
• macOS: The payload is downloaded into the user’s Library/LaunchAgents autorun directory, with a corresponding plist file to ensure it runs automatically. The script first checks the system architecture to fetch the correct x64 or ARM variant of the payload.
• Linux: The agent is dropped into the /tmp/.fonts-unix directory. Similar to macOS, it selects an architecture-specific binary and assigns it execute permissions.

The Growing Threat to Open-Source Ecosystems

Once deployed, the AdaptixC2 agent provides attackers with capabilities for remote access, command execution, file management, and establishing persistence. This incident highlights a dangerous and growing trend of abusing trusted open-source software supply chains to distribute malware. It follows other high-profile incidents, such as the Shai-Hulud worm, which also used post-install scripts to infect hundreds of packages.

Developers and organizations are urged to exercise caution when installing open-source modules. It is crucial to verify package names, vet newer repositories, and monitor security feeds for news on compromised libraries to mitigate the risk of a supply chain attack.

Source: https://securelist.com/adaptixc2-agent-found-in-an-npm-package/117784/