The phylum has reported a malicious package named ca-bucky-client in the NPM ecosystem targeting Bucky Client, a project owned by HubSpot. It is currently averaging around 600 installations per week.
This package contains a variety of obfuscation mechanisms to thwart analysis, but the key takeaway is this: Any user that inadvertently installs this package will have their environment enumerated and sent to the remote actor. If this includes critical information (e.g., AWS access keys), it will fall into the hands of the malware author.
The package first shipped with the version 0.0.1 on July 13, 2022. It does not appear as though this particular version is successfully malicious. This version contains exactly one Javascript file, a README, and a package.json.
The package.json includes a preinstall hook that executes bucky.js. This file appears to be a mostly functional equivalent to the legitimate bucky.js from early versions of the Bucky Client, with one minor change: require(“xmlhttprequest”) has been updated to require(“./xmlhttprequest”) to refer to a file on disk (which doesn’t exist yet).
This post was created with our nice and easy submission form. Create your post!
GIPHY App Key not set. Please check settings