Malicious npm Packages Found Using Image Files to Hide Backdoor Code

2024-07-16 10:09

Cybersecurity researchers have identified two malicious packages on the npm package registry that concealed backdoor code to execute malicious commands sent from a remote server.

The packages in question - img-aws-s3-object-multipart-copy and legacyaws-s3-object-multipart-copy - have been downloaded 190 and 48 times each.

"They contained sophisticated command and control functionality hidden in image files that would be executed during package installation," software supply chain security firm Phylum said in an analysis.

The packages are designed to impersonate a legitimate npm library called aws-s3-object-multipart-copy, but come with an altered version of the "Index.js" file to execute a JavaScript file.

For its part, the JavaScript file is designed to process three images - that feature the corporate logos for Intel, Microsoft, and AMD - with the image corresponding to Microsoft's logo used to extract and execute the malicious content.

"In the last few years, we've seen a dramatic rise in the sophistication and volume of malicious packages published to open source ecosystems," Phylum said.

News URL

https://thehackernews.com/2024/07/malicious-npm-packages-found-using.html

#backdoor #NPM