Phylum researchers uncovered two packages in this campaign, with one named 'img-aws-s3-object-multipart-copy' mimicking a legitimate GitHub library. The malicious version included modifications to execute a new script called 'loadformat.js' upon installation.
The loadformat.js file contained sophisticated code designed to extract and execute hidden payloads from image files bundled with the package. One of these images, disguised as a Microsoft logo, contained malicious code to establish a connection with a command and control server.
Phylum highlighted the sophistication of the attackers, stating, 'when an attacker tries to hide their payloads so deeply, we can only assume they are sophisticated and operating with clear malicious intent.'
#npm-registry #cybersecurity #malicious-packages #command-and-control-functionality #hidden-payloads
Collection
[
|
...
]