A sophisticated supply chain attack targeting the npm package registry has been operating undetected for over a year. The malicious package, identified as @0xengine/xmlrpc, has compromised numerous systems through what initially appeared to be legitimate software.
The attack’s sophisticated arsenal includes data theft capabilities targeting SSH keys, bash history, and system information. Additionally, the malware deploys XMRig for cryptocurrency mining operations while utilizing Dropbox and file.io for data exfiltration. Its stealth mechanisms include advanced system process monitoring to avoid detection.
The malware spread primarily through two vectors: direct npm package installation and as a hidden dependency in a WordPress tool called “yawpp.” Statistics reveal 1,790 package downloads, with 68 systems confirmed to be actively mining cryptocurrency. The attack specifically targets Node.js users.
In a parallel development, Datadog Security Labs uncovered a separate campaign (MUT-8694) targeting Windows users. This campaign deployed Blank-Grabber and Skuld Stealer malware through fake packages on npm and PyPI, with a particular focus on Roblox developers.
This security breach demonstrates that even well-maintained packages with lengthy histories can be compromised, underlining the critical importance of continuous dependency monitoring in software development.