October 3, 2023

Researchers from Checkmarx detailed about a threat actor leveraging NPM packages to target developers to steal source code and secrets.

Active since 2021, the threat actor has been publishing malicious NPM packages that designed to execute automatically upon installation. The malicious packages were designed with the purpose of exfiltrating sensitive data such as source code and configuration files from the machines of victims.

Each NPM package contained three files — package.json, preinstall.js, and index.js — that were used as part of the attack process. Upon installing the malicious package, a post-install hook defined in the package.json file triggers the preinstall.js script, with the script then using a method called spawn: to initiate another file named index.js.


When index.js runs as a separate process, it continues to operate independently even after the main installation process is complete. The index.js script collects the current operating system username and working directory and then sends this information in an HTTP GET request to a predefined server.

The malicious code then looks through directories on the now infected machine and targets specific directories such as .env, .gitlab and .github and files with extensions such as .asp, .js and .php. The code subsequently compresses the discovered directories, avoids unreadable directories or existing .zip files and then attempts to upload the archives to a predefined FTP server.

Based on the metadata analyzed in the malicious NPMs files, the author goes by the name of “lexi2.” A search for other references to lexi2 also found additional malicious packages dating back to 2021.

The researchers noted that sharing metadata and tracking attackers is essential to a broader security approach that goes beyond short-term fixes and delves into the ongoing monitoring and analysis of attacker behavior and patterns.

Leave a Reply

%d bloggers like this: