Cybersecurity researchers have found a suspicious package on the npm package registry that contains a remote access trojan (RAT) aimed at compromised systems.
The package is called glup-debugger-log and targets gulp toolkit users by pretending to be a “logger for gulp and gulp plugins.” It has been downloaded 175 times so far.
The security firm Phylum, which uncovered the package, revealed that it comes with two obfuscated files that work together to deploy the malicious payload.
“One of the files acts as an initial dropper to set up the target machine for the malware campaign, while the other file provides the attacker with a remote access mechanism to control the compromised machine,” they explained.
Phylum’s analysis of the package’s package.json file revealed the use of a test script to execute a JavaScript file (“index.js”) which then calls an obfuscated JavaScript file (“play.js”).
The second JavaScript file serves as a dropper to download additional malware after running checks for network interfaces, specific Windows operating systems, and the number of files in the Desktop folder.
According to Phylum, these checks aim to target developer machines rather than controlled environments like VMs or new installations.
If all checks pass, another JavaScript file (“play-safe.js”) from the package.json file is executed to establish persistence and execute commands from a URL or local file.
The “play-safe.js” file creates an HTTP server to listen for commands on port 3004, execute them, and send the output back to the client.
Phylum described the RAT as a combination of crude and sophisticated due to its minimal functionality, self-contained nature, and obfuscation techniques to evade analysis.
They emphasized the evolving landscape of malware development in open-source ecosystems and how attackers are using new techniques to create compact, stealthy malware with powerful capabilities.