These packages, detected from November 2024 onward, employ sophisticated techniques to evade traditional security measures while executing harmful actions that can lead to data theft, unauthorized access, and complete system compromise. Similarly, malicious Node.js packages like seller-admin-common_6.5.8 and seller-rn-mng-lib_6.5.8 contain code that harvests sensitive information including internal and external IP addresses, DNS servers, and user details, bundling this data into JSON objects before transmitting it to attackers via Discord webhooks. These malicious packages pose substantial threats to Windows systems, with capabilities ranging from keylogging and data exfiltration to establishing backdoors and executing remote commands. FortiGuard Labs recommends that developers install packages only from trusted sources, review package content before installation, use isolated virtual environments, employ security scanning tools, and maintain up-to-date dependencies. Another 1,052 packages contained suspicious install scripts designed to silently deploy malicious code during the installation process, often modifying standard procedures to execute harmful actions without user awareness. Further analysis by Fortinet researchers revealed 681 packages utilizing suspicious APIs, including commands such as https.get and https.request, primarily used to exfiltrate sensitive data or establish remote control capabilities. The analysis reveals a disturbing trend in the evolution of cyber threats, with attackers continuously refining their methods to bypass security protocols and infiltrate systems undetected. Packages such as AffineQuant-99.6, amzn-aws-glue-ml-libs-python-6.1.5, and amzn-awsglue-6.1.4 were found to gather MAC addresses, hostnames, usernames, and directory information before transmitting this data to attacker-controlled servers. FortiGuard Labs has recently uncovered more than 5,000 malicious software packages designed to compromise Windows systems. The study also identified 537 packages with empty descriptions, a technique that further obscures malicious intent, and 164 packages with unusually high version numbers, used to mislead users into trusting outdated or potentially harmful software. One particularly concerning attack vector involves Python packages that exploit the setup.py file to silently collect system information. The code not only logs keystrokes but also establishes a backdoor with elevated privileges, providing attackers complete system control while collecting operating system details, installed applications, and network configurations. Additionally, 1,043 packages lacked repository URLs, raising significant concerns about their legitimacy and traceability, while 974 packages included suspicious URLs that potentially facilitate communication with command-and-control servers. The investigation identified 1,082 packages with low file counts, a tactic employed to minimize detection footprint while maximizing damage potential. The script employs different system commands depending on the operating system (getmac for Windows, ifconfig for Linux/macOS) and encodes the stolen information using base64 before exfiltration.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 11 Mar 2025 11:50:07 +0000