Malicious npm Library @0xengine/xmlrpc Steals Data and Mines Cryptocurrency

A new software supply chain attack has been discovered, targeting developers through the npm package registry. The library, named @0xengine/xmlrpc, initially appeared as a harmless JavaScript-based XML-RPC server and client for Node.js but later introduced malicious code to steal sensitive data and deploy a cryptocurrency miner.

@0xengine/xmlrpc was first published on October 2, 2023, and has since been downloaded 1,790 times. Initially, it functioned as advertised, but in version 1.3.4 — released just a day after its debut — the package was modified to perform the following malicious activities:

Steal sensitive information like SSH keys, bash history, system metadata, and environment variables every 12 hours.Exfiltrate the stolen data to external services like Dropbox and file.io.

The attack was distributed through two primary methods:

Direct Installation from npm Developers unknowingly installed the malicious package directly from the npm repository.Hidden Dependency A GitHub project named yawpp (Yet Another WordPress Poster) is listed @0xengine/xmlrpc as a dependency. Users installing Yawpp also downloaded the compromised package without realizing it.

Once installed, the malware performs several malicious actions:

Harvests system information and establishes persistence on the infected machine via systemd.Deploys the XMRig cryptocurrency miner to mine Monero, utilizing the system’s resources for the attacker’s financial gain.Monitors system processes and suspends mining activities if user monitoring tools like top, iostat, or vmstat are detected, ensuring it remains hidden.

To date, at least 68 systems have been compromised and actively mining cryptocurrency for the attackers.

This attack highlights the ongoing risks associated with the software supply chain. Even seemingly trustworthy packages with a clean maintenance history can be compromised. Both new and established libraries require continuous monitoring to ensure their safety.

This isn’t an isolated incident. Another campaign has been targeting Windows users through counterfeit packages uploaded to both npm and the Python Package Index (PyPI). These packages deploy malware like Blank-Grabber and Skuld Stealer, with some attacks specifically targeting developers working on platforms like Roblox.

To safeguard against malicious packages:

Thoroughly vet all packages before installation, even if they seem legitimate.Monitor dependencies for unexpected updates using security tools like Dependabot or Snyk.Enable two-factor authentication (2FA) on npm and GitHub to add an extra layer of protection.

Wire Tor offers comprehensive penetration testing (pentest) services to help organizations secure their systems and software supply chains. Our experts specialize in identifying vulnerabilities and providing actionable recommendations to safeguard your digital assets.

💡 Follow for most pent services and cybersecurity updates: Wire Tor Pentest Services

🔐 Wire Tor — Reach Before Breach 🔐