Researchers uncovered a malware campaign in the npm ecosystem, where “k303903” used fake packages to spread the Skuld info stealer, compromising hundreds of machines before removal.
Skuld Malware
Analysis shows “k303903” likely uses aliases like “shegotit2” and “pressurized,” all using similar methods to spread malware in the npm ecosystem, highlighting supply chain attack risks and the need for stronger security.
A recent campaign targeted npm developers with the Skuld infostealer, the second such attack in two months, resembling a previous attack on Roblox developers, showing the attackers’ adaptability.
Threat actors used typosquatting and obfuscation to compromise machines and steal data, repeatedly adapting tactics with new packaging and distribution methods.
The December 2024 campaign used common methods and commodity malware, showing the threat actors’ consistent reliance on deceptive tactics.
The code downloads and runs a malicious file using libraries like fs-extra
, path
, node-fetch
, and child_process
, with the URL disguised as legitimate.
Obfuscator.io was used to hide the code, making detection harder. After installation, the malware runs the Skuld infostealer as download.exe.
Actor k303903 used typosquatting to upload fake npm packages, tricking developers into installing them. This enabled data theft via a Discord webhook and command-and-control setup.
Using trusted tools like replit.dev added to the deception, stressing the need for careful package review.
Over 600 downloads of malicious npm packages recently led to stolen credentials and sensitive data. Despite quick removal by the npm registry, the damage was significant.
Socket reports the attack mirrors a November 2024 incident, showing how threat actors rapidly evolve by reusing malware like Skuld and improving their tactics.
Developers can mitigate such risks with layered security and automated tools to detect and block malicious dependencies early.
Indicators of Compromise (IOCs) — k303903#
Malicious Packages:
windows-confirm
windows-version-check
downloadsolara
solara-config
aaaa89852889
Malicious URLs:
- hxxps://alternatives-suits-obtained-bowl.trycloudflare[.]com/page
- hxxps://971cfdde-59b5-4929-b162-6118a1825652-00-2zv0j6z5p6zi4.riker.replit[.]dev/page
- hxxps://971cfdde-59b5-4929-b162-6118a1825652-00-2zv0j6z5p6zi4.riker.replit[.]dev/start
Discord Webhook:
- hxxps://discord[.]com/api/webhooks/1316651715591667752/GNxf9DlNvCZmJ27gRfOlHCEVgvOG-kYbj6d2h5zaX48DpP41elqDEdBvoK1y4F1gpbbw
SHA256 Hashes:
- 27b86c1a24a1c97952397943f7b7ef21ee6859145556fe1b197e89074672bd07
Indicators of Compromise (IOCs) — shegotit2#
Malicious Packages:
o7rcyti43qv
bootstrapper-solara
solara-upgrade
Malicious URLs:
- hxxps://tours-picture-hunt-electrical.trycloudflare[.]com/page
- hxxps://pointer-walt-blond-bi.trycloudflare[.]com/page
- hxxps://fossil-otherwise-stylus-sq.trycloudflare[.]com/page
- common-temperature.gl.at.ply[.]gg:38635
Telegram Webhook:
- hxxps://api.telegram[.]org/bot7740258238:AAFZwAKMURbNCg1N0L12TTCRXWYfqUe93To
SHA256 Hashes:
- 3f78493b9bf7a448bec44c154343e6a372ebb0dc3188e61b4699f166896d7181
Indicators of Compromise (IOCs) — pressurized#
Malicious Packages:
atlantis-api
xeno-api
core-builder
upgrade-solara
xeno-builder
get-matcha
solara-builder
solara-cleanup
solara-installer
solarainstaller
powerupdate
windows.solara
windowsversionupdate
solaramatcher
deathball
updkernels
antibyfron
programcleanup
robloxint
Malicious URLs:
- hxxps://eed964e7-461c-4428-9c46-808d77ede57c-00-26f8c6izoatcc.worf.replit[.]dev/skuld
- hxxps://3d7a78cb-b661-450d-b035-888519a4df86-00-udawht6rsoni.spock.replit[.]dev/skuld
- hxxps://eed964e7-461c-4428-9c46-808d77ede57c-00-26f8c6izoatcc.worf.replit[.]dev/blank
- hxxps://3d7a78cb-b661-450d-b035-888519a4df86-00-udawht6rsoni.spock.replit[.]dev/blank
- hxxps://eed964e7-461c-4428-9c46-808d77ede57c-00-26f8c6izoatcc.worf.replit[.]dev/empyrean
- hxxps://3d7a78cb-b661-450d-b035-888519a4df86-00-udawht6rsoni.spock.replit[.]dev/empyrean
- hxxps://ebdfa635-60a4-499e-9da8-2b609eb309c3-00-3k30gj5i2z09x.riker.replit[.]dev/kyore
- hxxps://ebdfa635-60a4-499e-9da8-2b609eb309c3-00-3k30gj5i2z09x.riker.replit[.]dev/sk
- hxxps://ebdfa635-60a4-499e-9da8-2b609eb309c3-00-3k30gj5i2z09x.riker.replit[.]dev/ps
- hxxps://github.com/ifhw/code/raw/main/cmd[.]exe
- hxxps://github.com/ifhw/code/raw/main/RuntimeServiceWorker[.]exe
- hxxps://github.com/ifhw/code/raw/main/py[.]exe
Leave A Comment