Security researchers at Checkmarx have unveiled a sophisticated supply chain attack enduring for over a year, embedding malicious code within the software package @0xengine/xmlrpc. Initially appearing as a legitimate XML-RPC tool, it later transformed into a vector for crypto mining and data theft.

Duration and Updates

The package operated undetected from October 2023 through November 2024, receiving 16 updates that concealed its nefarious activities under the guise of maintenance.

Functionality Shift

Initially perceived as a simple XML-RPC implementation, the package evolved to include malicious functionality, primarily within an obfuscated `validator.js` file starting with version 1.3.4.

Malicious Activities

The malware executed data theft, targeting SSH keys and shell history every 12 hours, and mined cryptocurrency on affected machines. Data was siphoned using Dropbox and file.io as exfiltration channels.

Distribution Mechanism

Two primary attack vectors were identified: direct NPM installation of the package and a faux GitHub repository, "yawpp", that used the package as a deceptive dependency.

Investigation Findings

Mining Operations

The attack employed XMRig to mine Monero, directing CPU power from compromised Linux systems to the attackers' wallet. At investigation, 68 systems were actively mining.

Evasion Tactics

Advanced evasion techniques involved monitoring and disguising mining activities to avoid detection, including inactivity checks to activate mining only when users were dormant.

Persistence Techniques

The malware established persistence via systemd services under the name "Xsession.auth", ensuring automatic reactivation upon system reboots.

Data Collection and Exfiltration

Continuous data exfiltration channeled through Dropbox and file.io, collecting sensitive user data and system information.

This event is another example of a persistent dual threat: malicious packages presenting as legitimate and genuine packages becoming compromised.

Proactive monitoring and auditing are vital defenses against such attacks. For those using Checkmarx protective solutions, threats from this specific attack vector are mitigated. Nonetheless, this incident reinforces a broader call to action for vigilant oversight on all open-source dependencies.

The link has been copied!