A malicious component in the npm package registry has been found to be deploying an open-source rootkit.
The package is called node-hide-console-windows, which looks to be a typo-squat of the legitimate npm package node-hide-console-window. There is an additional s at the end of the malicious package name and it had been downloaded 704 times over the past two months. The package downloaded a discord bot which facilitated the planting of the rootkit. The malicious code is contained within the package’s index.js file and executes an open-source trojan known as DiscordRAT 2.0. The trojan allows attackers to remotely control the victim’s machine over Discord, using over 40 commands to facilitate the collection of sensitive data, while disabling security software. This is the first time a package has been found to deliver rootkit functionality. The package was also built using freely available components, allowing attackers to put together a supply chain attack with little effort. This incident is a reminder that developers need to take caution when installing open source components. Make sure security scans are done and also have scanning policies to protect against typo-squatting.
https://www.reversinglabs.com/blog/r77-rootkit-typosquatting-npm-threat-research
https://thehackernews.com/2023/10/rogue-npm-package-deploys-open-source.html
This segment was created for the It’s 5:05 podcast