A sophisticated and ongoing supply-chain attack operating for the past year has been stealing sensitive login credentials from both malicious and benevolent security personnel by infecting them with Trojanized versions of open source software from GitHub and NPM, researchers said. The campaign, first reported three weeks ago by security firm Checkmarx, and again on Friday by Datadog, uses multiple avenues to infect the devices of researchers in security and other technical fields. One vector is through packages that have been available on open source repositories for over a year.
These packages install a professionally developed backdoor that conceals its presence with great care. The unknown threat actors behind the campaign have also employed spear phishing that targets thousands of researchers who publish papers on the arXiv platform. The objectives of the threat actors are multifaceted.
One is the collection of SSH private keys, Amazon Web Services access keys, command histories, and other sensitive information from infected devices every 12 hours. When the report went live, dozens of machines remained infected, and an online account on Dropbox contained some 390,000 credentials for WordPress websites taken by the attackers, likely stolen from fellow malicious actors. The malware used in the campaign also installs cryptomining software that was present on at least 68 machines as of last month.
Datadog researchers have designated the group MUT-1244, with MUT short for “mysterious unattributed threat.” The campaign first came to light when Checkmarx discovered @0xengine/xmlrpc, a package that had circulated on the NPM JavaScript repository since October 2023. Initially a benign package offering a JavaScript implementation of the XML-RPC protocol, @0xengine/xmlrpc slowly evolved into malware by introducing heavily obfuscated code hidden in one of its components over time. In its first 12 months, the package received 16 updates, creating the impression it was a benign and legitimate library.
MUT-1244 complemented @0xengine/xmlrpc with a second package available on GitHub, called yawpp. This package, seemingly a tool for WordPress credential checking and content posting, was made malicious when it required @0xengine/xmlrpc as a dependency. Consequently, the malicious package was automatically installed, leading to its longevity in the NPM ecosystem.
The malicious functionality of the @0xengine/xmlrpc package remained dormant until activated through specific vectors.
stealthy supply-chain malware campaign detailed
Direct package users could execute commands using the ‘–targets’ or ‘-t’ flag, activating the malware when running the package’s validator functionality.
Alternatively, users installing the “yawpp” WordPress tool from GitHub would automatically receive the malicious package as a dependency, triggering malware activation through yawpp’s main scripts. The malware maintained persistence by disguising itself as a legitimate session authentication service named Xsession.auth. Every 12 hours, Xsession.auth would systematically collect sensitive system information, including SSH keys, command histories, system configurations, and network information.
The stolen data was then uploaded to online storage services like Dropbox or file.io. Datadog revealed additional methods MUT-1244 used for installing its second-stage malware. This included at least 49 malicious entries posted to GitHub with Trojanized proof-of-concept exploits for security vulnerabilities.
Another major vector was spear phishing emails sent to researchers in high-performance computing, encouraging them to install a fake CPU microcode update. The phishing emails, sent between October 5 and October 21, were directed to 2,758 email addresses scraped from arXiv. To add further legitimacy, several malicious packages were automatically included in legitimate sources like Feedly Threat Intelligence and Vulnmon, increasing their chances of being run by unsuspecting users.
The attackers’ use of @0xengine/xmlrpc allowed them to steal approximately 390,000 credentials from infected machines. Datadog confirmed these credentials were for logging into administrative accounts for WordPress websites. The campaign’s longevity, precision, and the professional quality of the backdoor indicate that MUT-1244 is a skilled and determined threat actor.
However, the group made an error by leaving the phishing email template and addresses publicly accessible. The ultimate motives of the attackers remain unclear, as the combination of cryptocurrency mining and targeting researchers presents a somewhat contradictory agenda. Both Checkmarx and Datadog include indicators for potential targets to check if they’ve been affected.
