Smart and fail-safe command and control: The ‘monitoring’ malicious package is designed to auto-detect the host OSUnix or Windowsand the server framework (Express, Fastify, or native HTTP). It registers OS-specific destructive routes that execute file-system wipes regardless of the environment.Additionally, to increase reliability, the malware exposes three backdoor endpoints: a default reconnaissance module, a primary destructive route, plus a secondary fallback. If one destruction endpoint is blocked or overlooked, the attacker can still trigger system destruction via an alternate route.”Both destruction endpoints support dry-run mode for reconnaissance and include the same cross-platform deletion logic, but return different response formats to avoid detection patterns,” Pandya noted.Socket analysis revealed middleware as the perfect target for this abuse, and to expect more attacks targeting framework-specific systems (Express, Fastify, Koa), packages that modify other packages at runtime, and security tools that may create vulnerabilities. npm abuses pile up as Socket keeps uncovering more malicious activity targeting the popular JavaScript package registry. Most recently, it reported 60 npm packages stealing sensitive host and network information within just under two weeks they were live. This follows earlier findings of attackers abusing npm with typo-squatted packages laced with info-stealers and remote code execution payloads aimed at multi-language developers.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4004261/new-npm-threats-can-erase-production-systems-with-a-single-request.html
