Thursday, May 8, 2025
Homecyber securityDevelopers Beware Of Malicious npm Package Delivers Sophisticated RAT

Developers Beware Of Malicious npm Package Delivers Sophisticated RAT

Published on

SIEM as a Service

Follow Us on Google News

Hackers have multiple reasons for abusing malicious npm packages, as they can first use popular open-source libraries as a medium for distributing malware or backdoors without the users’ knowledge.

Secondly, allow threat actors to penetrate into developers’ and agencies’ networks and systems who are using these infected packs.

As they could take away confidential information, launch supply chain attacks, or even use those accounts to mine cryptocurrencies. In general, exploiting npm packages is an effective and confidential method of attack for hackers.

- Advertisement - Google News

Cybersecurity researchers at Phylum recently warned developers about malicious npm packages that deliver sophisticated RAT.

Technical Analysis

Phylum’s automated risk platform recently detected a suspicious npm package named glup-debugger-log which has obfuscated files that act as a dropper and provide remote access.

Some obfuscated files were found in package.json that were executed via build and test scripts.

The entry point for the malicious code was identified to be the bind() method from an obfuscated play.js file after deobfuscating it.

Function bind() exports code that produces a random number and then asynchronously executes start() and share().

Start() gets some configuration information which includes hard-coded empty strings for keys “p” and “pv”.

It then makes environment verifications through the use of checkEnv function to decide whether or not the malware should be sent out.

These checks consist of network interface verification, Windows OS check, and ensuring the developer’s desktop folder has at least 7 programs, most likely directed at active developers’ machines.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

If all of these tests are successful, the code will attempt to run the command locally, or download and run a remote payload and maintain a background script that provides remote access.

The code does extra checks compared to the initial environment checks. The code can be defined as a “match” key that can target specific machines through either MAC addresses or IPs.

It permits only Windows systems and must have at least 7 things in the user’s Desktop folder, indicating probably that it is an active developer machine.

After a successful checkup, it runs a command locally by means of decoding an already hardcoded Base64 string to “cmd.exe” or “downloads” a remote payload from the URL given.

Moreover, even after the main process exits, it runs another separate script that remains persistent for further malicious activities.

The attacker seems to be interested in developers’ systems for compromise in this way.

The hidden play-share.js sets up an HTTP server on port 3004. Sending a query with “cmd” through this means the attacker can command execution on the compromised system.

It uses child_process to execute the specified command and then returns the output of that command.

Alongside the main dropper, it makes it possible to have remote code execution since it is simple but powerful enough to make something of a crude RAT.

While written in JavaScript, some modularity, stealth, environment targeting, and obfuscation techniques are used.

This shows how attackers evolve malware development in open-source ecosystems.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Cisco IOS XE Wireless Controllers Vulnerability Lets Attackers Seize Full Control

A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers...

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

Healthcare Sector Becomes a Major Target for Cyber Attacks in 2025

The healthcare sector has emerged as a prime target for cyber attackers, driven by...