Background

The cybersecurity researchers at Veracode have discovered a new type of supply chain attack targeting the NPM ecosystem. The attack involves hiding a dangerous Pulsar Remote Access Trojan (RAT) inside seemingly innocuous PNG image files.

Key Findings

• Hackers used a typosquatting technique to create a malicious NPM package named "buildrunner-dev" that closely resembles a legitimate tool called "buildrunner".

• Once installed, the package downloads a heavily obfuscated script that is over 1,600 lines long, containing random words to distract from the malicious payload.

• The script downloads a PNG image from a free hosting site, and uses steganography to extract hidden malicious code from the image's pixel data.

• The malware also employs process hollowing to disguise its activities, replacing the "insides" of a benign program with its own malicious code.

• The final payload is the Pulsar RAT, which gives the attackers full remote control of the compromised system.

• The malware uses various techniques to evade detection by common antivirus solutions, such as copying itself to a hidden folder and using a Windows tool to bypass security warnings.

Background

The NPM ecosystem is a popular, widely-used platform for sharing and distributing software packages. This makes it an attractive target for supply chain attacks, as compromising a single package can potentially impact a large number of downstream users.

In this case, the attackers leveraged a typosquatting technique to create a malicious NPM package that closely resembled a legitimate tool. This increases the chances that a developer will accidentally install the malicious package, triggering the attack.

Malware Analysis

The core of the attack is the heavily obfuscated script that is downloaded by the malicious NPM package. This script contains over 1,600 lines of text, the majority of which are just random words and phrases meant to confuse and distract security analysts.

However, within this noise, the script contains approximately 21 lines of actual malicious commands. These commands are responsible for downloading a PNG image from a free hosting site and using steganography to extract hidden malware code from the image's pixel data.

The extracted malware then employs process hollowing to disguise its activities, replacing the "insides" of a benign program with its own malicious code. This helps the malware avoid detection by security solutions that are monitoring for suspicious processes.

The final payload of this attack is the Pulsar RAT, a powerful remote access tool that gives the attackers full control over the compromised system. The malware uses obfuscated file names like "CheaperMyanmarCaribbean.exe" to further conceal its presence on the infected machine.

Mitigations and Recommendations

To defend against this type of supply chain attack, security teams should:

• Implement robust package management policies and controls to vet third-party NPM packages before installation.

• Use static and dynamic analysis tools to detect obfuscated scripts and hidden malware payloads.

• Educate developers on the risks of typosquatting and the importance of verifying package sources.

• Deploy advanced endpoint protection solutions capable of detecting and preventing process hollowing and other evasion techniques.

By staying vigilant and adopting a multilayered security approach, organizations can mitigate the risks posed by this sophisticated NPM supply chain attack.

Sources

• https://hackread.com/hackers-pulsar-rat-png-images-npm-supply-chain-attack/

• https://x.com/xcybersecnews/status/2025589092256235770

• https://x.com/Dinosn/status/2025636583806746878

• https://www.socdefenders.ai/item/56889a32-e6c6-43c3-9aea-b536b34c7d90

• https://x.com/HackRead/status/2025560073183830136