The package, named @0xengine/xmlrpc, was originally published on October 2, 2023, as a JavaScript-based XML-RPC server and client for Node.js, gaining 1,790 downloads.
According to Checkmarx, the malicious code introduced in version 1.3.4 harbored functionality to harvest valuable information such as SSH keys and environment variables.
Yehuda Gelb stated, 'The attack achieved distribution through multiple vectors: direct npm installation and as a hidden dependency in a legitimate-looking repository,' illustrating varied malware spread methods.
It’s unclear if the yawpp GitHub project developer knowingly added the malicious package as a dependency, exploiting the inherent trust users place in package dependencies.
Collection
[
|
...
]