A suspicious npm package named ‘react-zutils’ harbours a multi-stage obfuscated malware, including a keylogger and clipboard stealer designed to steal sensitive data from crypto-related browser extensions, marking a significant threat to developers and users in the cryptocurrency space.
The package presents itself as a comprehensive utility library for React applications, claiming to offer various functionalities for developers. However, hidden within its code is nefarious malware.
The package listed 25 dependencies and included a preinstall hook that executed a script named ‘launch.js.’ This script’s role was to initiate another obfuscated and minified script, ‘setup-script.js,’ in a detached process, allowing the malware to operate independently of the main installation.
“We can see that it markets itself as “All Utils for React App” and then goes on to list 25 dependencies. The most interesting bit here, however, is the preinstall hook. We can see that upon package installation, it’s launching node launch.js,” said researchers from Phylum.
The initial script, ‘launch.js,’ imports ‘child_process’ and ‘path’ modules to resolve the path to ‘setup-script.js’ and then executes it in a new process, detaching itself to avoid detection. Researchers found the setup-script.js highly obfuscated using custom methods, making it challenging to analyse.
The obfuscation in ‘setup-script.js’ involved complex string decoding and decryption mechanisms. Researchers found that the script started by defining two immediately invoked async functions named at different aspects of the attack:
- Data collection: The first async function targeted local Chrome, Brave, and Opera browser directors across Windows, macOS, and Linux platforms. It searched for browser extensions associated with cryptocurrency wallets, specifically looking for log (.log) and database (.ldb) files that might contain private keys, seed phrases, and other sensitive information. Once found, this data was collected and uploaded to a remote server via a ngrok endpoint.
- Persistent execution: The second async function checks if the system is running Windows. if so, it looked for the existence of a Python executable at a specified path. If not found, indicating a first-time execution, it downloaded a tar archive containing additional malicious payloads from another ngrok endpoint. A similar process was followed for non-Windows systems using different endpoints to download a Python client.
The script set up a periodic execution mechanism using ‘setInterval’ to repeatedly call the data collection function every ten minutes for 40 minutes. This persistence ensured multiple attempts to steal and upload data, increasing the chances of successful data exfiltration.
“This is a periodic execution mechanism set up by setInterval
that ensures repeatInitialization
is called every 6e5 ms (10 minutes) four times. If you recall, setup-scripts.js
was spawned in detached mode from launch.js
, so even after the package installation is complete and launch.js
terminates, setup-setup.js
will remain alive for another 40 minutes, periodically retrying to steal and exfiltrate the browser extension data and download the Python code and client,” noted researchers.
Researchers also discovered several other malicious scripts hosted on various endpoints. These scripts included functionality to locate, decrypt, and exfiltrate browser extension data, capture keystrokes, and silently execute additional malicious code. A particularly concerning discovery was an endpoint that, upon a GET request, revealed thousands of entries containing potentially stolen credentials, though researchers are unclear if these were from victims or the attacker’s testing.
This isn’t the first encounter with such malware. Researchers noted a similar attack was reported in February 2024, where fake developer job postings led to candidates unknowingly executing malicious code.
Researchers have urged developers to exercise extreme caution when integrating third-party packages and to perform thorough security audits.
In the News: Sony, CNN and other TikTok accounts hijacked by malicious code