Inside a Tor Backed Supply Chain Worm
A sophisticated npm supply chain attack involves a typosquatted package named crypto-javascri that mimics the legitimate crypto-js library. The malware harvests npm and GitHub credentials, hijacks maintainer accounts, and republishes trojanized packages under trusted identities. The final payload includes a weaponized Arti Tor client enabling credential theft, cryptomining, privilege escalation via SUID exploitation, and systemd-based persistence. Targeting Linux developer systems and CI/CD environments, the attack uses Tor-based command-and-control infrastructure for anonymity and resilience. It propagates in a worm-like fashion, creating significant downstream supply chain risk.
AI Analysis
Technical Summary
This threat is a malware campaign leveraging a typosquatted npm package 'crypto-javascri' to infiltrate developer environments. It steals credentials for npm and GitHub, enabling attackers to hijack maintainer accounts and push malicious package updates under trusted identities. The payload incorporates a modified Arti Tor client for covert command-and-control communications, facilitating credential theft, cryptomining, privilege escalation through SUID exploitation, and persistence via systemd services. The campaign specifically targets Linux systems used in development and CI/CD pipelines, employing worm-like propagation to spread across environments. The use of Tor infrastructure enhances attacker anonymity and resilience against takedown efforts.
Potential Impact
The attack compromises developer systems by stealing credentials and hijacking trusted package maintainer accounts, allowing widespread distribution of trojanized packages. This undermines the integrity of the npm supply chain, potentially affecting numerous downstream users and projects. The inclusion of cryptomining and privilege escalation capabilities increases the operational impact on infected systems. The worm-like propagation model amplifies the risk by enabling rapid spread within Linux developer and CI/CD environments. The use of Tor for command-and-control complicates detection and mitigation efforts.
Mitigation Recommendations
No official patch or remediation is currently documented for this threat. Patch status is not yet confirmed — check vendor advisories and trusted security sources for updates. Mitigation should focus on detecting and removing the typosquatted package 'crypto-javascri' and monitoring for unauthorized package republishing activity. Restricting use of packages from unverified sources and enforcing multi-factor authentication on maintainer accounts can reduce risk. Network monitoring for Tor-based traffic and unusual systemd service activity may help identify infections. Since this is a supply chain attack, verifying package integrity and provenance before deployment is critical.
Indicators of Compromise
- domain: 1cpur2zdsv762uzyoyzma6pvzz4a2xhv64zdouxpjlu3exyks7gh7leyd.onion
Inside a Tor Backed Supply Chain Worm
Description
A sophisticated npm supply chain attack involves a typosquatted package named crypto-javascri that mimics the legitimate crypto-js library. The malware harvests npm and GitHub credentials, hijacks maintainer accounts, and republishes trojanized packages under trusted identities. The final payload includes a weaponized Arti Tor client enabling credential theft, cryptomining, privilege escalation via SUID exploitation, and systemd-based persistence. Targeting Linux developer systems and CI/CD environments, the attack uses Tor-based command-and-control infrastructure for anonymity and resilience. It propagates in a worm-like fashion, creating significant downstream supply chain risk.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat is a malware campaign leveraging a typosquatted npm package 'crypto-javascri' to infiltrate developer environments. It steals credentials for npm and GitHub, enabling attackers to hijack maintainer accounts and push malicious package updates under trusted identities. The payload incorporates a modified Arti Tor client for covert command-and-control communications, facilitating credential theft, cryptomining, privilege escalation through SUID exploitation, and persistence via systemd services. The campaign specifically targets Linux systems used in development and CI/CD pipelines, employing worm-like propagation to spread across environments. The use of Tor infrastructure enhances attacker anonymity and resilience against takedown efforts.
Potential Impact
The attack compromises developer systems by stealing credentials and hijacking trusted package maintainer accounts, allowing widespread distribution of trojanized packages. This undermines the integrity of the npm supply chain, potentially affecting numerous downstream users and projects. The inclusion of cryptomining and privilege escalation capabilities increases the operational impact on infected systems. The worm-like propagation model amplifies the risk by enabling rapid spread within Linux developer and CI/CD environments. The use of Tor for command-and-control complicates detection and mitigation efforts.
Mitigation Recommendations
No official patch or remediation is currently documented for this threat. Patch status is not yet confirmed — check vendor advisories and trusted security sources for updates. Mitigation should focus on detecting and removing the typosquatted package 'crypto-javascri' and monitoring for unauthorized package republishing activity. Restricting use of packages from unverified sources and enforcing multi-factor authentication on maintainer accounts can reduce risk. Network monitoring for Tor-based traffic and unusual systemd service activity may help identify infections. Since this is a supply chain attack, verifying package integrity and provenance before deployment is critical.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.cloudsek.com/blog/inside-a-tor-backed-supply-chain-worm"]
- Adversary
- Sukob
- Pulse Id
- 6a0d970b3015e77563f4a9fa
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domain1cpur2zdsv762uzyoyzma6pvzz4a2xhv64zdouxpjlu3exyks7gh7leyd.onion | — |
Threat ID: 6a0f32f9e1370fbb4819e5f2
Added to database: 5/21/2026, 4:29:45 PM
Last enriched: 5/21/2026, 4:44:44 PM
Last updated: 5/21/2026, 6:44:38 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.