Cybersecurity researchers have discovered a new ongoing campaign aimed at the npm ecosystem that leverages a unique execution chain to deliver an unknown payload to targeted systems. "The packages in question seem to be published in pairs, each pair working in unison to fetch additional resources which are subsequently decoded and/or executed," software supply chain security firm Phylum
said in a report released last week. To that end, the order in which the pair of packages are installed is paramount to pulling off a successful attack, as the first of the two modules are designed to store locally a token retrieved from a remote server. The campaign was first discovered on June 11, 2023.
The second package subsequently passes this token as a parameter alongside the operating system type to an HTTP GET request to acquire a second script from the remote server. A successful execution returns a Base64-encoded string that is immediately executed but only if that string is longer than 100 characters.
Phylum revealed that the endpoint has so far returned the string "bm8gaGlzdG9yeSBhdmFpbGFibGU=," which decodes to "no history available," either implying that the attack is still a work in progress or it's engineered to return a payload only at specific times. Another hypothesis for this behavior could be that it's dependent on the IP address (and by extension, the location) from which the request originating from the first package is sent when generating the token.
