Phylum researchers uncovered two packages in this campaign, with one named "img-aws-s3-object-multipart-copy" mimicking a legitimate GitHub library. The malicious version included modifications to execute a new script called "loadformat.js" upon installation.
The loadformat.js file contained sophisticated code designed to extract and execute hidden payloads from image files. One image disguised as a Microsoft logo contained malicious code to establish a connection with a command and control server.
"Hiding payloads in images is not a new concept," Phylum stated. Sophisticated attackers operating with clear malicious intent embed payloads deeply to achieve their goals.
[
Collection
]
[
|
...
]