NPM Malware Targeting HubSpot’s Bucky Client

The phylum has reported a malicious package named ca-bucky-client in the NPM ecosystem targeting Bucky Client, a project owned by HubSpot. It is currently averaging around 600 installations per week.

This package contains a variety of obfuscation mechanisms to thwart analysis, but the key takeaway is this: Any user that inadvertently installs this package will have their environment enumerated and sent to the remote actor. If this includes critical information (e.g., AWS access keys), it will fall into the hands of the malware author.

The package first shipped with the version 0.0.1 on July 13, 2022. It does not appear as though this particular version is successfully malicious. This version contains exactly one Javascript file, a README, and a package.json.

The package.json includes a preinstall hook that executes bucky.js. This file appears to be a mostly functional equivalent to the legitimate bucky.js from early versions of the Bucky Client, with one minor change: require(“xmlhttprequest”) has been updated to require(“./xmlhttprequest”) to refer to a file on disk (which doesn’t exist yet).

This post was created with our nice and easy submission form. Create your post!

What do you think?

Posted by SH

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

Chameleon – Highly Customised Directory Bruteforcing Tool

Universal LockerGoga Decryptor Released by Bitdefender