Malware, Supply chain, DevSecOps

GitHub, NPM registry abused to host SSH key-stealing malware

In this photo illustration, the homepage of the GitHub website seen on a computer screen through a magnifying glass.

Malicious NPM packages designed to upload stolen SSH keys to GitHub were discovered by software threat researchers this month.

GitHub removed two packages from the NPM registry in early January  — warbeast2000 and kodiak2k  — both of which were designed to grab private SSH keys from machines they are installed on and store the keys on an attacker-controlled GitHub repository.

The SSH key-stealing malware tools were first discovered by researchers at ReversingLabs using the company’s Software Supply Chain Security platform. The malicious packages were found during the first week of January 2024 and removed by the GitHub-owned NPM registry shortly after they were reported.

The details of warbeast2000 and kodiak2k were first disclosed by ReversingLabs in a blog post on Jan. 23.

“Since there are instructions in the code’s comments, the [package] author’s intention is possibly to share malicious code with other malicious actors,” Lucija Valentić, a software threat researcher at ReversingLabs and author of the blog post, told SC Media. “They may also be hoping for developers and users to download and install warbeast2000 and kodiak2k.”

Software developers at risk from dangerous NPM packages

The warbeast2000 and kodiak2k packages both use a postinstall script to retrieve additional JavaScript code from an external source and execute it on a victim’s machine. At least one of the packages (warbeast2000) retrieves this second malicious script from a Pastebin address.

The payload installed and executed by warbeast2000 targets the id_rsa file located at /.ssh within the victim’s home directory to grab the private SSH key stored within this file. “Id_rsa” is the default file name for SSH keys generated by ssh-keygen, which is standard on Unix, Linux and macOS systems as well as Git for Windows.

After reading the private SSH key, warbeast2000’s final payload copies the key, encodes it in Base64 and uploads it to a GitHub repository controlled by the attacker. Warbeast2000 has no other functions and does not appear to imitate other legitimate packages.

Kodiak2k’s payload works similarly to warbeast2000’s, but instead of going after id_rsa, it searches (home directory)/.ssh for a file named “meow,” which the ReversingLabs researchers theorize is a just a placeholder name. As with warbeast2000, if the “meow” key is found, it is uploaded in a Base64 format to an attacker-controlled GitHub repository by the malware.

Additionally, later versions of kodiak2k executed a script from the archived GitHub repository of the Empire post-exploitation framework, which includes code related to the Mimikatz credential stealer. There were some non-malicious functions observed such as a function for running notepad.exe, and the researchers said kodiak2k was likely still undergoing development when it was removed from the NPM registry.

Valentić told SC Media that it can’t be said for sure whether warbeast2000 and kodiak2k were created by the same threat actor.

The potential breach of SSH keys by packages like warbeast2000 and kodiak2k is dangerous for software developers using the same open-source repositories where the malware was uploaded.

“SSH keys provide those who hold them the ability to access and contribute to GitHub repositories, including those containing proprietary (non-public) code,” Valentić wrote on the ReversingLabs blog. “As attacks like those on SolarWinds and 3CX show, that level of access can have a serious and negative impact on the security of the software producer, as well as the end user organizations that deploy and use the affected software: fueling devastating software supply chain attacks.”

Warbeast2000 had eight versions and was downloaded nearly 400 times by the time it was removed, while kodiak2k had more than 30 versions and was downloaded about 950 times before its removal, according to ReversingLabs.

Open-source package managers face 1,300% increase in malware uploads

The NPM registry has been misused to distribute malware many times in the past, with recent examples including a campaign that targeted Roblox developers with the Luna Grabber information stealer last August and a flood of 15,000 phishing packages that hit the registry last February.

GitHub and the NPM repository are not alone, as the Python Package Index (PyPI) has also been plagued with malicious packages, some amassing thousands of downloads.

ReversingLab’s State of Software Supply Chain Security 2024 report revealed that 13 times more malware packages were found circulating in open source package repositories like NPM and PyPI in 2023 compared with 2020.

Valentić outlined some of the red flags developers should look for when considering using packages from open source websites.

It "could be things like typosquatting (dressing a package up to look like another known/pouplar open source package), the presence of obfuscated code (unusual in an open source package), or (as in this case) post-install scripts that fetch and execute files from outside of the package,” Valentić explained in an email to SC Media.

The NPM registry and PyPI platforms themselves have also taken steps to respond to growing security threats, Valentić noted.

“That’s particularly true around account security, with platforms like npm strongly encouraging developers to adopt multi-factor authentication, code scanning, and more granular permissions for access tokens,” Valentić said. “Platforms like GitHub, npm and others have also stepped up scanning for accidentally exposed secrets or PII.”

GitHub did not respond to questions from SC Media about warbeast2000 and kodiak2k or its safeguards against malware distribution.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.