In a recent discovery, the team of experts at Checkmarx uncovered a sophisticated attack on a supply chain that spanned over a year. The attack involved a malicious npm package called @0xengine/xmlrpc, which initially started in October 2023 for legitimate purposes but later transformed into a tool for cryptomining and data theft. This package remained active until November 2024, receiving regular updates and maintaining the appearance of normal functioning.
The malicious code was embedded in the Validator.js file of the @0xengine/xmlrpc package, allowing it to covertly launch the XMRIG cryptominer and gather sensitive data such as SSH keys and Bash command history. The stolen data was then transmitted through dropbox and file.io, making it challenging to trace.
The distribution of this malware was done through direct installation from NPM as well as through a dependency in a GitHub project named “YAWPP,” purportedly meant for WordPress work. This sneaky tactic infected unsuspecting developers’ systems by leveraging trusted repositories.
The attack was carefully orchestrated to activate only under certain conditions, like specific commands or using YAWPP scripts. To maximize mining effectiveness, the attacker employed technology to detect user inactivity and run the mining process during idle periods. Additionally, systemic services were utilized for automatic recovery after system reboots.
During the investigation, Checkmarx identified 68 compromised systems connected to the Hashvault.pro mining pool, all mining Monero cryptocurrency for the attacker. To evade detection, the attacker implemented process monitoring to block suspicious activities when system control tools were activated. Advanced methods were used to obscure data transmission and cover their tracks.
This incident underscores the critical need for ongoing security analysis of utilized packages and their updates. Developers and organizations are urged to thoroughly review source code and monitor code changes to prevent threats from infiltrating their projects.