On July 13, 2024, security company, Phylum has been alerted of a suspicious packages on the npm package registry.
Despite their initial appearance of legitimacy, these packages actually contained highly advanced malware concealed within image files, which posed a significant threat to users.
There were two fake packages discovered in this campaign, with one of them being called “img-aws-s3-object-multipart-copy.”
This package is a replica of a library called “aws-s3-object-multipart-copy” from GitHub. Nevertheless, the counterfeit package contained an additional script called “loadformat.js” which executed malicious code while being installed.
The script in the counterfeit package appeared to analyze image files, but it was actually reading each byte of the images, converting them into characters, and storing them in a variable named “analyzepixels.”
If the length of these bytes exceeded 2,000, a variable named “convertertree” would be set to true. The hidden commands extracted from the image files were executed as a result.
Command-and-Control Hidden in JPEGs
In the package's root directory, three image files were discovered: logo1.jpg, logo2.jpg, and logo3.jpg.
The malware was triggered by the data contained in the Microsoft logo image (logo2.jpg). The Microsoft logo contained a harmful code that was designed to regularly connect to a remote server (85.208.108.29) and carry out specific commands.
The script first registers the infected machine with the server by sending its hostname and operating system details.
After a short interval, it continuously seeks fresh instructions from the person initiating the attack.
These commands have the ability to modify directories, adjust update intervals, or execute any code provided by the attacker. The results of these commands are then transmitted back to the attacker's server.
This method is not a new discovery, in May 2024, the technique of concealing harmful code within images was observed in PyPI packages.
Nevertheless, the individuals responsible for these npm packages possess considerable expertise and harbor malicious motives.
The malicious version of “img-aws-s3-object-multipart-copy” adds a code to the “index.js” file, which is otherwise legitimate. This code addition is responsible for running the “loadformat.js” script, which contains the hidden malware.
The malicious packages were accessible on npm for almost two days before they were reported and taken down.