ReversingLabs researchers have discovered two malicious packages on the npm open source package manager that leverages GitHub to store stolen Base64-encrypted SSH keys lifted from developer systems that installed the malicious npm packages. Multiple versions of the malicious npm packages, warbeast2000 and kodiak2k were identified in January, and have since been removed from npm. However, the campaign is just the latest example of cybercriminals and malicious actors using open-source package managers and related infrastructure to support malicious software supply chain campaigns that target development organizations and end-user organizations.
Disclaimer: This article is part of X-Force OSINT Advisories’ automated collection to enable faster integration of open-source articles to client environments. All credit and copyright goes to the original authors.
Reference: https://www.reversinglabs.com/blog/gitgot-cybercriminals-using-github-to-store-stolen-data
Sample Indicators of Compromise:
31abb6e4399138b33545ab5dfa3e12fe1ad4d16e55f6b8f098ce173f4bfba374fc6da3cd8e0ff435717fa522c6ee505002bf17d3e79385544834461e7165b6329ae524392812c534f9bb7e225e305ffe562238aff7746bdc60f891670c0c8bff46cebe02