
Malware Detected: Reverse Shell Without JavaScript Files in npm
The Hook: OX Research identified malicious npm package paperclip2 and two related packages, which conceal a reverse shell within their configuration files, effectively bypassing detection methods focused solely on JavaScript files.
Technical Breakdown:
- Threat Type: Software supply chain attack, specifically malicious npm packages.
- TTPs (MITRE ATT&CK):
- T1588.006 (Obtain Capabilities: Malware): Attackers distributing malicious packages.
- T1203 (Exploitation for Client Execution): Users installing a compromised package.
- T1059.004 (Command and Scripting Interpreter: Unix Shell): Deployment of a reverse shell.
- Evasion Tactic: Hiding malware in package config files rather than standard JavaScript files to avoid common scanning techniques.
- IOCs:
- npm Packages:
paperclip2(and two unnamed related packages).
- npm Packages:
Defense: Implement robust software supply chain security practices, including deep scanning of package contents beyond just executable JavaScript, and dependency analysis for unexpected configuration changes or non-standard file types containing malicious payloads.
Source: https://www.ox.security/blog/malware-detected-reverse-shell-without-javascript-files-in-npm/