Threats Tagged 'github-abuse'

Multiple npm packages in the SAP JavaScript and cloud application development ecosystem were compromised in a suspected supply chain attack. Affected packages include mbt@1.2.48, @cap-js/db-service@2.10.1, @cap-js/postgres@2.2.2, and @cap-js/sqlite@2.2.2. The compromised versions introduced malicious preinstall scripts that download and execute Bun binaries from GitHub, then run heavily obfuscated payloads designed to harvest credentials from developer machines and CI/CD environments. The payloads steal SSH keys, cloud credentials, npm tokens, GitHub access, cryptocurrency wallets, and CI/CD secrets directly from runner memory. Stolen data is encrypted and exfiltrated via GitHub repositories created under victim accounts. The malware also attempts self-propagation by injecting itself into additional packages using stolen npm tokens and establishes persistence through VSCode and Claude IDE configurations.

A malicious Go module impersonating the legitimate golang.org/x/crypto has been discovered, containing a backdoor in ssh/terminal/terminal.go. This module captures passwords, exfiltrates them, and executes remote commands. The attack chain includes a Linux stager that installs an SSH key for persistence, weakens firewall settings, and deploys a Rekoobe backdoor. The campaign targets high-trust cryptography libraries and likely aims at cloud environments. The threat actor uses GitHub for staging and disguises payloads as media files. This sophisticated supply chain attack highlights the need for careful scrutiny of Go module changes and implementation of robust security measures in development workflows.

MediumMalwareUnited StatesChinaGermany+7#cryptography-impersonation#rekoobe#supply-chain-attack