Constant Onslaught of Malicious NPM Packages Bundled With njRAT Malware
According to a Sonatype report, there’s a 430% increase in malicious code injection within open-source software (OSS) projects. Recently, cybercriminals have been seen using two malicious packages dubbed as jdb.js and db-json.js to deliver njRAT aka Bladabindi malware.
Sonatype’s security researcher Ax Sharma has found two malicious packages containing a malicious script that gets executed after web developers import and install any of the two malicious libraries.
- Both packages described themselves as tools to help developers work with JSON files typically generated by database applications.
- The jdb.js package attempts to mimic the legitimate NodeJS-based database library - jdb, and the db-json.js package carries an identical name to the genuine db-json library.
- Furthermore, the post-install script of jdb.js attempts to download and run a file named patch.exe that further installs the njRAT.
- Researchers have observed more than 100 downloads of these packages from the NPM package registry.
Recent NPM malware components
Several malware components such as discord.dll, discord.app, wsbd.js, ac-addon have been discovered that have already made headlines.
- The most recent CursedGrabber campaign was associated with xpc.js malware that was stealing Discord tokens and sensitive user data by targeting Windows hosts.
- Earlier, researchers had found two NPM packages, discord.dll and twilio-npm, executing nearly the same tasks with slight differences: stealing sensitive files from Discord application and browsers.
The npm team has published a security advisory for these malicious codes. The emergence of counterfeit components suggests an occurrence of next-gen software supply chain attacks if adequate protections are not in place.