A massive cybercrime is affecting 390,000 WordPress websites and stealing details
- Researchers found a malicious package on NPM, uploaded a year ago
- It was initially benign and later introduced malware via an update
- The malware stole hundreds of thousands of secrets and installed cryptojackers on dozens of computers
For about a year now, hackers have been infecting red teamers, penetration testers, security researchers, and other hackers with a piece of malware that steals WordPress login credentials and other sensitive data and installs crypto miners on compromised endpoints.
As a result, the login credentials for some 390,000 WordPress accounts were stolen and dozens of systems were found mining Monero.
Cybersecurity researchers Datadog Security Labs spotted the attack on the NPM package repository and in GitHub, after researchers from Checkmarx also recently raised the alarm about the same campaign.
The package masqueraded as an XML-RPC implementation and was first uploaded to the repository in October 2023. Until November 2024, when it was finally discovered as malicious, it received 16 updates.
Legitimate at first
Datadog noted that the attackers were tactical in their approach, first uploading a package that was legitimate and worked as intended. The malicious code was introduced in later versions and was designed to steal SSH keys, bash history and other data every 12 hours. The data it collects is extracted via Dropbox or File.io.
To make matters worse, researchers and security professionals introducing XML-RPC into their own products would only expand the malware’s reach and turn it into a full-blown supply chain attack.
Datadog said the team ultimately found 68 compromised systems that were actively mining the Monero currency. Monero, with the XMR ticker, is usually mined with a cryptojacker called XMRig. This is a popular means of payment among thieves, because it is completely anonymous and very difficult to trace.
The identity of the threat actors was not discovered, but researchers named the group MUT-1224, which is short for Mysterious Unattributed Threat.
Large code repositories remain a vital platform for cybercriminals, the researchers concluded, emphasizing that developers should be extra careful when using open-source software.
Via BleepingComputer