Attracting malicious code within Node.js executables or npm (Node Package Manager) packages allows attackers to blend their malware with legitimate applications, evade detection, and persist within target environments. These installers contain malicious DLLs, which, upon execution, gather system information using Windows Management Instrumentation (WMI) and establish persistence via scheduled tasks that launch PowerShell commands. Additional scripts fetch and execute Node.js binaries and compiled JavaScript files (JSC), which launch further malicious routines—such as credential theft and browser data exfiltration. Attackers are increasingly exploiting Node.js, a widely trusted, open-source JavaScript runtime, to deliver sophisticated malware, steal sensitive data, and compromise entire systems. As attackers grow more adept at blending malicious code with trusted platforms, organizations must enhance monitoring, update vulnerable dependencies, and educate users to defend against these emerging threats. Once installed, it injects obfuscated JavaScript to intercept and reroute cryptocurrency transactions, exploiting the trusted status of these packages and the Electron framework’s architecture. Microsoft reports that the attack chain involves initial access where the user downloads a malicious installer from a fake cryptocurrency platform. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. They leverage Node.js both for direct script execution and as a vehicle for compiled malware, often bypassing traditional security controls. NodeLoader leverages the sudo-prompt module for privilege escalation and hides its activities by creating hidden directories and obfuscated PowerShell scripts. Obfuscated scripts gather Windows, BIOS, and user data, sending it in JSON format to a remote C2 server via HTTP POST. One prominent campaign involves malvertising, placing malicious ads on popular websites to lure users into downloading trojanized installers. Supply chain compromises have surged, with attackers hijacking legitimate npm packages or creating lookalike packages (typosquatting). Kaaviya is a Security Editor and fellow reporter with Cyber Security News.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 16 Apr 2025 09:58:39 +0000