Press ESC to close

A new playground: Malicious campaigns proliferate from VSCode to npm

 

Category Details
Threat Actors Likely a group targeting developers and the cryptocurrency ecosystem.
Campaign Overview Malicious extensions and npm packages are being leveraged to target IDEs (like VSCode) and dependencies in development cycles.
Target Regions Developers using npm and VSCode, with focus on crypto communities; domains suggest targeting Latin America (.lat) and Russia (.ru).
Methodology Malicious npm packages and VSCode extensions were introduced with obfuscated downloader code, fabricated reviews, and inflated install counts to appear credible.
Product Targeted VSCode IDE, npm packages, and Node.js applications.
Malware Reference Obfuscated JavaScript downloader; second-stage payloads downloaded from domains like hxxps[:]//microsoft-visualstudiocode[.]com and hxxps[:]//captchacdn[.]com.
Tools Used JavaScript Obfuscator for code obfuscation; malicious npm packages and VSCode extensions for delivery.
Vulnerabilities Exploited No specific CVE mentioned; compromise likely through malicious publishing of extensions and dependencies.
TTPs – Obfuscated code in legitimate-looking packages
– Use of fake reviews and inflated download stats
– Second-stage payloads downloaded from malicious domains
Attribution Not explicitly named; evidence suggests consistent methods, indicating organized actors or groups.
Recommendations – Preapprove, validate, and scan all IDE plugins and dependencies
– Perform regular security assessments
– Monitor for malicious inclusion in repositories
– Use platforms like RL’s Spectra Assure.
Source Reversinglabs

Read full article: https://www.reversinglabs.com/blog/a-new-playground-malicious-campaigns-proliferate-from-vscode-to-npm

The above summary has been generated by an AI language model

Stay Updated with Our Newsletter

Source: ReversingLabs

Published on: December 20, 2024

Leave a Reply

Your email address will not be published. Required fields are marked *