Skip to content

Two malicious npm packages are hiding backdoor in image files

  • by
  • 3 min read

Attackers concealed two malicious npm packages, img-aws-s3-object-multipart-copy and legacyaws-s3-object-multipart-copy, that cleverly hides command-and-control functionality within seemingly innocuous image files. Disguised as legitimate projects, these packages are designed to execute hidden scripts to control compromised systems remotely.

The identified malicious packages initially appear legitimate, mimicking genuine projects. The first package, “img-aws-s3-object-multipart-copy,” is a deceptive clone of the authentic “aws-s3-object-multipart-copy” library on GitHub. However, on deeper inspection, researchers revealed a crucial alteration in the index.js file, which now executes a news script named loadformat.js — embedded with the malicious payload.

The loadformat.js script ostensibly performs routine image analysis but conceals a sophisticated mechanism to execute hidden code. It reads each byte of an image file, converting bytes between 32 and 126 into characters, which are then appended to a variable. This conversion forms the basis for a covert function defined by the threat actor.

Malicious code addition to the index.js file. | Source: Phylum

“At first glance, these packages appear entirely legitimate; however, as our system automatically noted, they contained sophisticated command and control functionality hidden in image files that would be executed during package installation,” explained researchers.

The true intent is revealed when a condition, marked by the variable “convertertree,” triggers the execution of code extracted from the image file. If the length of the bytes exceeds 2,000, the payload is executed, signifying the presence of hidden command-and-control instructions.

“If convertertree is set to trueimagebyte is set to analyzepixels. In plain language, if converttree is set, it will execute whatever is contained in the script we extracted from the image file,” researchers wrote. “We note that convertertree will be set to true if the length of the bytes found in the image is greater than 2,000.”

Source: Phylum

Three image files — logo1.jpg, logo2.jpg, and logo3.jpg — are processed within the loadformat.js script. While two images (Intel and AMD logos) fail to meet the execution criteria, the Microsoft logo (logo2.jpg) successfully triggers the command-and-control functionality. This image initiates contact with a remote server at 85.208.108.29, registering the client and setting up a loop to fetch and execute commands every five seconds.

The executed commands are then sent back to the attacker, establishing a persistent and covert communication channel.

Researchers discovered the malicious npm packages and reported them for removal. However, these packages remained accessible on npm for nearly two days, exposing developers to potential exploitation.

“We have reported these packages for removal, however, the malicious packages remained available on npm for nearly two days. This is worrying as it implies that most systems are unable to detect and promptly report on these packages, leaving developers vulnerable to attack for longer periods of time,” cautioned researchers.

Last year, researchers discovered over 15,000 malicious packages on NPM.

In the News: Squarespace domain hijacking targets cryptocurrency sector

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>