Cybersecurity researchers have uncovered a prolonged supply chain attack leveraging a malicious npm package, @0xengine/xmlrpc, which has been active for over a year.
Initially introduced as a legitimate XML-RPC implementation for Node.js in October 2023, the package underwent a malicious transformation starting with version 1.3.4, published just days after its initial release.
By November 2024, the package had received 16 updates, maintaining an appearance of legitimate development while concealing its harmful intent.
The malware embedded within the package is designed to steal sensitive data, such as SSH keys, bash history, and system environment variables, every 12 hours.
It exfiltrates this information via services like Dropbox and file.io.
Additionally, the malware deploys a cryptocurrency miner (XMRig) on infected systems, targeting Monero mining operations. As of the latest investigation, 68 systems were actively mining cryptocurrency for the attackers.
Sophisticated Distribution Techniques
The attack leveraged two primary distribution vectors.
The first involved direct installation of @0xengine/xmlrpc from the npm registry.
The second method exploited trust in open-source dependencies by embedding the malicious package within a GitHub repository named “yawpp.”
This repository posed as a legitimate WordPress automation tool but required @0xengine/xmlrpc as a dependency.
Developers installing yawpp unknowingly downloaded the compromised package, introducing it into their environments.
.webp)
This dual-distribution strategy highlights the risks of trusting dependencies within software ecosystems.
By masquerading as a legitimate project and maintaining regular updates, the attackers ensured the package remained undetected for an extended period.
Advanced Evasion Tactics
To avoid detection, the malware employed sophisticated evasion techniques.
It monitored system processes and paused mining operations when commands like top or ps were executed.
The malware also suspended activity if user interaction was detected, further complicating efforts to identify and mitigate its presence.
The attackers’ use of obfuscated code within key files like “validator.js” and their ability to maintain persistence through systemd configurations underscore their technical expertise.
According to Socket Report, these methods allowed them to sustain their campaign while avoiding immediate scrutiny from security tools and researchers.
This incident underscores the growing threat posed by supply chain attacks in software development ecosystems.
Even packages with an established history can be compromised at any stage, emphasizing the need for continuous monitoring throughout their lifecycle.
Developers are urged to scrutinize dependencies rigorously and implement security measures such as attestation checks and automated vulnerability scanning to mitigate risks.
The discovery of @0xengine/xmlrpc follows a broader trend of malicious campaigns targeting both npm and PyPI repositories.
These attacks exploit trust in open-source ecosystems to distribute malware capable of data theft and cryptocurrency mining, posing significant risks to developers and organizations alike.
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Data Breach at Legends International Exposes Customer Information")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Critical AnythingLLM Vulnerability Enables Remote Code Execution")
