• Home
  • Resources
  • Blog
  • Threat Actor Deploys Malicious Packages Using Hex Encoding and Delayed Execution

Threat Actor Deploys Malicious Packages Using Hex Encoding and Delayed Execution

Over the past week, the Mend security team has found several instances of packages that use unusual techniques to disguise malicious intent. These techniques differ from what we have usually seen in the past, such as base64 and JS obfuscation. This time, we are seeing a malicious actor use hex encoding to hide the malicious behavior of the package. In addition, the threat actor attempts to evade some security mechanisms by delaying the  execution of the malicious code until about one hour after initial installation. The goal, of course, is to improve the odds that the malicious package can be successfully inserted into the production environment.

//Dedocing from hex in runtime

//Delaying execution in about 1 hour

The first package is bfs-hello-world.  Its first version, number 98.10.11, was uploaded to NPM on April 5th. The second version, number 98.10.13, was uploaded a few hours later.

Both versions were blocked by Diffend on the same day of creation.

The second package, ‘bfx-hf-func-data’, was uploaded to NPM on April 9th with only one version, number 94.10.9. It was blocked by Diffend two hours later.
Interestingly, in this package, the author used the famous ‘Lorem ipsum’ placeholder text that is commonly used to demonstrate the visual form of a document or a typeface without relying on meaningful content.

The third package, ‘wf_apn’, was added to NPM on April 12th with one single version, number 97.10.9. It was blocked by Diffend four hours later. In this package, the README file looks legit as it is disguised as a module for interfacing with the Apple Push Notification service, which is far from what the malicious package really does.

The attacker is exfiltrating private information via two known webhooks – “pipedream.net” and “requestbin.net”.  The private information that is being captured for these packages are:

Getting a list of IP addresses that is configured in the DNS resolution for the current host.
Checking what files you have under your root directory depending on your operating system (“C:\\“, “D:\\“, “/”, “/home”)

While gathering the private information, the attacker verifies that the machine executing the code doesn’t have the following identifiers that are probably of its own machines:
Hostname – DESKTOP-4E1IS0K / box / lili-pc / aws-7grara913oid5jsexgkq / instance
Username – daasadmin

It’s worth mentioning that we have seen these indicators of compromise (IoCs) related to other packages in the past.
These packages illustrate the ongoing evolution of attack techniques, as the attacker looks for new ways to evade security mechanisms as well as the attention of the research community. While  these techniques are common in the malware research arena, they have not been seen used in npm malicious packages. However, it is likely that we will see more attacks like this. Of course, the easiest way to protect this attack surface is to use an automated supply chain security solution such as Mend Diffend.

Meet The Author

Daniel Elkabes

Daniel Elkabes, Vulnerability Research team leader, writes about in-depth security topics and open source security for Mend Software.

Tamir Ben Ari

Tamir Ben Ari is a malware researcher at Mend specializing in software supply chain. Previously, he held the role of security researcher at Mend, which included detailed vulnerability research in open source libraries.

Subscribe to Our Blog