Fortinet FortiGuard Labs has uncovered nearly 30 counterfeit npm packages within the npm package repository, all designed to illicitly obtain sensitive data from developers’ systems.
Among these fraudulent packages are examples such as @expue/webpack, @expue/core, @expue/vue3-renderer, @fixedwidthtable/fixedwidthtable, and @virtualsearchtable/virtualsearchtable. These packages conceal an obscured JavaScript file capable of collecting valuable secrets. This data includes Kubernetes configurations, SSH keys, and system metadata like usernames, IP addresses, and hostnames.
Furthermore, the cybersecurity company has identified another group of four modules, including binarium-crm, career-service-client-0.1.6, hh-dep-monitoring, and orbitplate, which are designed to illicitly extract source code and configuration files without authorization.
Security researchers noted that “the targeted files and directories may contain highly valuable intellectual property and sensitive information, such as various application and service credentials.” These files are then archived and uploaded to an FTP server.
Some of these packages have also been observed using a Discord webhook to steal sensitive data. A few others have been engineered to automatically download and execute potentially malicious executable files from URLs.
In an intriguing twist, a rogue package named @cima/prism-utils utilizes an install script to disable TLS certificate validation (NODE_TLS_REJECT_UNAUTHORIZED=0), potentially making connections susceptible to man-in-the-middle (MitM) attacks.
Fortinet has categorized these identified modules into nine groups based on code similarities and functions, with many of them using install scripts that run before or after installation to carry out data harvesting.
The researchers caution end users to be vigilant for packages that employ suspicious install scripts and to exercise caution when encountering such packages.