In a significant discovery, cybersecurity experts have unearthed a suspicious npm package residing in the npm package registry. This package is specifically engineered to unleash a remote access trojan (RAT) onto compromised systems.
The package under scrutiny goes by the name of “glup-debugger-log” and is crafted to ensnare users of the gulp toolkit by posing as a benign “logger for gulp and gulp plugins.” Impressively, it has amassed 175 downloads thus far.
Phylum, a firm specializing in software supply chain security, stumbled upon this package and uncovered its clandestine nature. According to Phylum, the package contains two obfuscated files working in tandem to deploy the malicious payload.
“One of these files functions as an initial dropper, laying the groundwork for the malware campaign by compromising the target system under specific conditions. It then proceeds to fetch additional malware components. The other script provides the attacker with a persistent remote access mechanism to manipulate the compromised system,” Phylum explained.
Upon scrutinizing the library’s “package.json” file, which serves as a manifest file detailing all metadata associated with a package, Phylum discovered the presence of a test script. This script executes a JavaScript file named “index.js,” which in turn invokes an obfuscated JavaScript file titled “play.js.”
The latter JavaScript file operates as a dropper, fetching subsequent-stage malware after conducting a series of checks. These checks include scrutiny of network interfaces, identification of specific Windows operating systems (Windows NT), and an intriguing evaluation of the number of files in the Desktop folder.
“They verify whether the Desktop folder within the machine’s home directory contains seven or more items,” elucidated Phylum.
At first glance, this criterion may appear arbitrary, yet it likely serves as a user activity indicator or a method to evade deployment in controlled or managed environments like virtual machines (VMs) or fresh installations. It seems the attacker is targeting actively utilized developer machines.
Upon successful completion of all checks, the dropper launches another JavaScript, as configured in the “package.json” file (“play-safe.js”), to establish persistence. This loader also incorporates the capability to execute arbitrary commands from a URL or local file.
Meanwhile, the “play-safe.js” file initiates an HTTP server and awaits commands on port 3004. Upon reception of commands, it executes them and transmits the command output back to the client in plaintext format.
Phylum characterized the RAT as a blend of rudimentary and sophisticated elements, owing to its modest functionality, self-sufficiency, and reliance on obfuscation to thwart analysis.
“This underscores the dynamic landscape of malware evolution within open-source ecosystems, where adversaries employ innovative techniques in their quest to create compact, efficient, and stealthy malware that can elude detection while possessing potent capabilities,” remarked the company.
