The malware is executed via the postinstall script, which runs automatically when the package is installed. This ensures the malicious payload is executed.
They were released by an attacker who gained unauthorized npm publishing access, and contain malicious scripts, as revealed by the software supply chain security firm, Socket.
Analysis of the rogue versions showed they make remote calls to transmit sensitive data, including cloud service credentials, and collect location details.
The attack targets specific countries like China and Russia, with the end goal of downloading and executing XMRig cryptocurrency miner on compromised Linux hosts.
Collection
[
|
...
]