Malicious AWS Packages Deliver Malware Through JPEGs
The Phylum Research Team recently uncovered a sophisticated cyberattack targeting developers using the npm package registry. On July 13th, 2024, researchers identified two seemingly legitimate packages, clones of existing libraries, concealing malicious code within JPEG image files.
The deceptive npm packages, such as img-aws-s3-object-multipart-copy, mimic genuine libraries like aws-s3-object-multipart-copy on GitHub. These malicious versions have been subtly modified to include hidden scripts that execute harmful code during package installation.
Appears as logo2.jpg in the package
Upon analyzing the loadformat.js script within these packages, the Phylum team discovered a seemingly benign image analysis routine. This script reads each byte of an image file and converts specific byte values into characters, which are then appended to a variable named analyzepixels.
The script defines two functions, imagebyte and analyzePixels. If a variable convertertree is set to true (triggered if the image contains more than 2,000 valid bytes), imagebyte is set to analyzepixels, effectively executing the hidden script extracted from the image file. This execution could either send an empty POST request to cloudconvert.com or initiate the malicious code.
In this case, the embedded commands established a connection to a remote command-and-control (C2) server. The infected machine then became a puppet, awaiting further instructions from the attackers.
The JPEGs themselves held the key to the C2 communication, with each image containing a different set of commands. This stealthy approach allowed the attackers to maintain control over compromised systems, potentially executing arbitrary code and exfiltrating sensitive data.
These malicious packages remained available on the npm registry for nearly two days before being reported and removed. Developers and security organizations must remain vigilant and implement robust monitoring and verification processes for the open-source libraries they consume.
