The Socket Threat Research Team has uncovered alarming evidence of cyber threat actors weaponizing shell techniques across popular open-source ecosystems, including npm, PyPI, Go, and Maven.
These malicious practices enable attackers to maintain persistence, exfiltrate sensitive data, and compromise systems worldwide.
The findings highlight the critical need for enhanced security measures in software supply chains.
Shells: A Double-Edged Sword
In the natural world, shells provide protection, but in the digital realm, they can be tools of exploitation.
Ethical security professionals use shell access for tasks like monitoring connections and preventing command injection.
However, cybercriminals deploy shells to execute commands remotely, upload/download files, and gain unauthorized control over systems.
Advanced Persistent Threat (APT) groups such as APT28 (Russia), APT32 (Vietnam), and HAFNIUM (China) are notorious for leveraging web shells to infiltrate servers and steal trade secrets.
For example, HAFNIUM uses web shells to target U.S. entities across various industries.
These malicious codes exploit vulnerabilities in web servers, granting attackers persistent access.
Socket’s large-scale scanning of open-source ecosystems has flagged multiple instances of web shells embedded within npm, PyPI, Go, and Maven packages.
These findings underscore the growing sophistication of supply chain attacks.
Examples of Malicious Shell Code
PyPI Ecosystem
One example involves a Python package creating a reverse shell using the os.system() function to establish a TCP connection on port 7777.
This allows attackers complete shell access to compromised systems. Another instance masquerades as a calculator function while secretly spawning an interactive shell via pty.spawn().
Both examples demonstrate obfuscation techniques that make detection challenging.
npm Ecosystem
In npm packages, malicious code includes TCP-based reverse shells that connect to remote servers on ports like 4444—commonly used by tools like Metasploit.
Some packages disguise their functionality as remote client updaters while secretly enabling remote access trojans.
Go and Maven Ecosystems
Go packages use scrambled arrays of strings to obfuscate payloads that download and execute remote scripts silently.
Similarly, Maven examples involve downloading Groovy scripts from hardcoded IP addresses and executing them in memory using GroovyShell—a tactic granting attackers sophisticated exploitation capabilities.
Recommendations for Developers and Organizations
As threat actors innovate their methods, developers and organizations must adopt proactive measures to safeguard their software supply chains:
- Detect Anomalous Behavior: Use tools like Socket’s AI-powered scanners to identify suspicious scripts, obfuscated code, or unusual network activity within dependencies.
- Enforce Supply Chain Security Policies: Regularly review third-party dependencies and implement strict policies for package inclusion.
- Leverage Security Tools: Incorporate free tools such as Socket’s GitHub App for pull request-level scans, CLI for pre-install checks, and browser extensions for package analysis.
Web shells will remain a favored tool for cybercriminals due to their versatility and stealth.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=These malicious practices enable attackers to maintain persistence, exfiltrate sensitive data, and compromise systems worldwide.){kind=link}