New data exfiltration attacks involving malicious NPM packages reported

Malicious NPM packages developed by "lexi2" have been deployed in new data exfiltration attacks against software developers, reports SiliconAngle. Installation of the package prompts the automated execution of files, including the "index.js" script, which gathers operating system usernames and working directories in compromised machines that are then delivered to a predefined FTP server, according to a report from Checkmarx. Machines impacted by the script are being scoured for .env, .github, and .gitlab directories, as well as files having the .php, .asp, and .js extensions, researchers noted. While identified directories are then compressed by the script, existing .zip files and unreadable directories are avoided when the archives are sent to the server. "Reactive countermeasures of deleting the most recent batch of malicious packages offer only temporary relief and don't get to the root of the problem. Protection against these unrelenting threats requires a more sophisticated strategy," said researchers, who urged strengthened metadata sharing and attacker monitoring to combat NPM threats.