C2 Attacks Exploiting Images in NPM Packages

Cybersecurity researchers have unveiled two malicious packages on the npm platform, harboring backdoor code designed to execute commands from a remote server. The suspicious packages, christened “img-aws-s3-object-multipart-copy” and “legacyaws-s3-object-multipart-copy,” were downloaded 190 and 48 times, respectively. As of this writing, they have been eradicated by the npm security team.

Phylum, a software security firm, noted in its analysis that these packages contained intricate command-and-control (C2) functionality, ingeniously concealed within seemingly innocuous images. This clandestine functionality was activated during package installation, with the packages themselves masquerading as a legitimate npm library named “aws-s3-object-multipart-copy,” albeit with an altered “index.js” file that triggered the execution of a JavaScript file, “loadformat.js.”

The JavaScript file processed three images, each bearing the logos of Intel, Microsoft, and AMD. The Microsoft logo, for instance, was exploited by the hackers to extract and execute the malicious code. This code would register a new client on the C2 server, transmitting host and operating system details. Subsequently, it would await commands issued by the attackers. In the final stage, the results of the executed commands would be relayed back to the attackers via a designated endpoint.

Phylum observed a substantial surge in the number and sophistication of malicious packages published in open-source ecosystems in recent years. “These attacks are proving successful. Developers and security organizations alike are keenly aware of this fact and are deeply vigilant with regard to open source libraries they consume,” the company’s statement declared.