Researchers at Reverseglabs have discovered two malicious modules in the popular npm package registry that were using GitHub to store stolen data. The modules, known as warbeast2000 and kodiak2k, were published in early January and had garnered 412 and 1281 downloads, respectively, before being removed by NPM employees. The most recent downloads occurred on January 21. Reversinglabs found multiple versions of warbeast2000 and over thirty versions of kodiak2k. Both modules were designed to execute scripts after installation, with each capable of extracting and executing various JavaScript files.
The warbeast2000 module attempts to access a private SSH key, while kodiak2k is designed to search for a key named “Meow,” which suggests the use of placeholder names during the early stages of development.
In the second stage of the malicious script, the private SSH key is read from the ID_RSA file located in the “/.SSH” directory. The key is then encoded in Base64 and uploaded to a GitHub repository controlled by the attacker. Subsequent versions of kodiak2k executed a script from an archived GitHub project that contained the Framworck of post-sequelization, Empire. This script is capable of launching Mimikatz, which extracts sensitive data from process memory.
This discovery highlights yet another instance where cybercriminals are utilizing open-source packages and related infrastructure to distribute malware through software supply chains targeting developers and end users.