Severity

High

Analysis Summary

New malicious NPM packages have been discovered that install the njRAT remote access trojan that allows hackers to gain control over a computer. NPM is a JavaScript package manager that allows developers and users to download packages and integrate them into their projects. As NPM is an open ecosystem, anyone can upload a new package without being reviewed or scanned for malware. This makes it easier for threat actors to upload malicious packages. The recently discovered malicious NPM packages were masquerading as a legitimate tool to make databases out of JSON files. They look like harmless packages that could be used to add new functionality to a project. When installed, njRAT gives the threat actor full remote access to a victim’s computer, where they can perform the following malicious behavior:

• Modify the Windows Registry
• Create and delete files
• Upload files
• Execute commands
• Get information about the computer
• Take control over the computer
• Log keystrokes
• Steal passwords
• Kill processes
• Take screenshots

Impact

• Unauthorized Remote Access
• System Takeover
• Unauthorized Command Execution
• Credential Theft
• Data Manipulation
• Information Disclosure

Indicators of Compromise

IP

• 46[.]185[.]116[.]2

MD5

• 7e952af5e150618e282f8586bc6a7d21
• b131dc177af1c2bb38ffc9da6c5b3989

SHA-256

• d6c04cc24598c63e1d561768663808ff43a73d3876aee17d90e2ea01ee9540ff
• 86c11e56a1a3fed321e9ddc191601a318148b4d3e40c96f1764bfa05c5dbf212
• 89fef995339abb188a5a84ba8078c0f9e9927d14fb99c1bb93493442365055cf

SHA1

• c4906e174ae7673a50a9dc52960505647ff6f723
• fab5d5403369f6f9c41495d7492eb8ab596d11d7

Remediation

• Block the threat indicators at their respective controls.
• As malicious NPM projects utilize names similar to legitimate projects, pay close attention to the packages before integrating them into your projects.