TLDR;
- Security researchers have identified two malicious npm packages,
warbeast2000
andkodiak2k
, designed to exfiltrate SSH keys from developers’ systems. - These packages utilized GitHub repositories to store the stolen SSH keys, encrypted in Base64.
- A staggering 1300% increase in malicious packages on open-source package managers has been reported from 2020 to the end of 2023.
In a concerning trend for the open-source community, security experts have uncovered malicious npm packages that target GitHub developers by stealing their SSH keys. The discovery of these packages, named warbeast2000
and kodiak2k
, highlights a growing issue within the realm of software development and open-source contributions.
Both packages were found to execute post-install scripts that retrieved and executed additional JavaScript files, ultimately leading to the exfiltration of SSH keys. These keys were then uploaded to attacker-controlled GitHub repositories, posing a significant security risk to affected developers and their associated projects.
Detailed Insights into the Malicious Packages
The warbeast2000
package, while still in development, included a post-install script in its final version that activated a JavaScript file designed to read and upload the private SSH key from the id_rsa
file located in the ~/.ssh
directory.
This script encoded the key in Base64 before uploading it to a GitHub repository controlled by the attacker. Despite its relatively low download count of around 400, the potential impact on security is significant.
On the other hand, kodiak2k
exhibited more complex behavior, with over 30 versions, all malicious. This package not only sought out SSH keys but also included scripts capable of launching the Empire post-exploitation framework and Mimikatz, a tool used for credential dumping.
With approximately 950 downloads, the reach and potential damage of this package are concerning.
The Growing Threat of Malicious Packages
This incident is part of a larger trend, as reported by ReversingLabs, which has noted a 1300% increase in malicious packages on open-source package managers from 2020 to the end of 2023. The use of open-source platforms like GitHub by malicious actors to support their campaigns is an ongoing concern. The availability of open-source malware and detailed documentation enables even low-skilled hackers to deploy sophisticated malware.
Recommendations for Developers
In light of these discoveries, ReversingLabs recommends that developers conduct thorough security assessments before using software from package managers. Awareness of new techniques for writing malware and vigilance for threats lurking in public repositories are crucial for safeguarding against these types of attacks.
Conclusion
The discovery of warbeast2000
and kodiak2k
serves as a stark reminder of the vulnerabilities present within the software supply chain. As the open-source community continues to grow, so too does the potential for exploitation by malicious actors.
It is imperative for developers, security researchers, and users alike to remain vigilant and proactive in the face of these evolving threats.