An NPM and PyPI Malicious Campaign Targeting Windows Users
Nov. 26, 2024, 9:34 p.m.
Tags
External References
Description
Datadog Security Research has uncovered an ongoing supply chain attack targeting both npm and PyPi package repositories, tracked as MUT-8694. This campaign uses malicious packages to deliver infostealer malware to Windows users, leveraging legitimate services like GitHub and repl.it for payload hosting. The threat actor employs typosquatting and targets developers, particularly those working with Roblox. Two main malware types are deployed: Blank Grabber and Skuld Stealer, both open-source projects with capabilities to steal credentials, crypto wallets, and other sensitive information. The campaign demonstrates sophistication in its multi-ecosystem approach and persistence, highlighting the growing risk to open-source package repositories.
Date
Published: Nov. 26, 2024, 9:06 p.m.
Created: Nov. 26, 2024, 9:06 p.m.
Modified: Nov. 26, 2024, 9:34 p.m.
Indicators
b3ce55c72f4e23252235f9698bd6078880ceaca310ba16ee859a5a2d6cc39a92
5c4c6ef3aed460f7ea15025bc160768e00c988747b943c99faf9f09b73f86e18
9247039186ec01688d19be3ade8e18fa086301145b7c00cc24465147764c63b8
https://api.telegram.org/bot7546407054:AAGwtti94gRjmoXnuSTcg7u0_qsGj7uoXqo/getMe
https://api.telegram.org/bot7546407054:AAGwtti94gRjmoXnuSTcg7u0_qsGj7uoXqo/getWebhookInfo
https://discord.com/api/webhooks/1296197362108338248/k492vQ1I3SDXcmvWcvsy2EcSUzrwhNmILrYhR3qSF8R7tkcE-C5GgZSxuS3IlNschBWg
https://api.telegram.org/bot7546407054:AAGwtti94gRjmoXnuSTcg7u0_qsGj7uoXqo/getUpdates
https://eed964e7-461c-4428-9c46-808d77ede57c-00-26f8c6izoatcc.worf.replit.dev/empyrean
https://eed964e7-461c-4428-9c46-808d77ede57c-00-26f8c6izoatcc.worf.replit.dev/skuld
https://github.com/holdthatcode/e/raw/main/CBLines.exe
https://eed964e7-461c-4428-9c46-808d77ede57c-00-26f8c6izoatcc.worf.replit.dev/blank
Attack Patterns
Skuld Stealer
Blank Grabber
MUT-8694
T1195.001
T1059.001
T1552
T1087
T1056.001
T1555
T1113
T1082
T1083
T1055