Sensitive developer data targeted by new malicious NPM packages

Novel malicious NPM packages developed by "malikrukd4732" have been discovered by Phylum, all of which could enable sensitive data exfiltration through a JavaScript file, The Hacker News reports. All test packages, which have been identified on July 31, were reuploaded with more refinement under new legitimate-sounding names, according to Phylum researchers, who suspected that the cryptocurrency sector may have been the target of the NPM packages. Installation of the packages prompts the deployment of the preinstall.js file that then triggers the index.js code, which scans for files and directories of various extensions. ZIP archive files are then leveraged to facilitate the delivery of the stolen data to the attackers' server. "While these directories can have sensitive information, it's more likely they contain a lot of standard application files which are not unique to the victim's system and hence less valuable to the attacker, whose motive appears to be centered around extraction of source code or environment-specific configuration files," said Phylum.