npm Package @0xengine/xmlrpc Turns Malicious, Steals Data and Mines Cryptocurrency
2024-11-28
Got you some real good FUD, learn about the dangers of supply chain attacks.
A software supply chain attack was discovered involving the npm package @0xengine/xmlrpc, which was initially a legitimate JavaScript-based XML-RPC server and client for Node.js, but later became malicious. The attack involved adding code to steal sensitive data and mine cryptocurrency, distributed through npm and a GitHub repository named yawpp. The malware harvests data, establishes persistence, and uses XMRig to mine cryptocurrency on compromised systems. This incident underscores the need for vigilance in monitoring software supply chains, as packages can become threats over time.
Sensitive Data, Malware, Supply Chain, Open Source, Git/Repo Breach
npm, supply chain attack, data theft, cryptocurrency mining, @0xengine/xmlrpc, Node.js, GitHub
N/A
npm, Node.js, yawpp, GitHub, Dropbox, file.io, systemd, XMRig, Monero
A significant software supply chain attack has been uncovered within the npm package registry, affecting the JavaScript ecosystem. This attack involves the npm package named The package Once installed, the malicious package begins harvesting critical data, including SSH keys, bash history, system metadata, and environment variables. This data is exfiltrated using services like Dropbox and file.io every 12 hours. Alongside data theft, the package deploys a cryptocurrency miner (XMRig) on infected systems, utilizing the Monero wallet for transactions. The attack propagates through two main vectors: Direct Installation via npm: Users installing the package directly from the npm registry are at risk. Dependency in a GitHub Project: A GitHub repository named "yawpp" lists the malicious package as a dependency. This repository appears to be a tool for creating WordPress posts. However, when users set up yawpp, the malicious npm package is automatically downloaded and installed. It is unclear if the yawpp repository's developer intentionally included this package. The malware establishes persistence on infected systems using systemd. It actively monitors system processes to evade detection, terminating mining operations if user activity is detected or if certain system monitoring commands are executed. This incident highlights the ongoing risks within software supply chains, stressing the importance of continuous monitoring and vetting of packages throughout their lifecycle. Even packages with a history of consistent maintenance can become threats if compromised.Malicious Activity Detected in npm Package: @0xengine/xmlrpc
@0xengine/xmlrpc, which turned malicious after its initial release.Initial Release and Malicious Transformation
@0xengine/xmlrpc was first published on October 2, 2023, as a seemingly benign XML-RPC server and client for Node.js applications. However, the following day, a version update (1.3.4) introduced malicious code. This code was designed to steal sensitive information from systems and mine cryptocurrency.Data Theft and Mining Operations
Distribution Mechanisms
Persistence and Evasion Techniques
Implications for Software Supply Chain Security
https://thehackernews.com/2024/11/xmlrpc-npm-library-turns-malicious.html?m=1