Cyber Security News

Hackers Exploit Node.js to Spread Malware and Exfiltrate Data

Threat actors are increasingly targeting Node.js—a staple tool for modern web developers—to launch sophisticated malware campaigns aimed at data theft and system compromise.

Microsoft Defender Experts (DEX) have reported a spike in such attacks since October 2024, especially focusing on malvertising and deceptive software installers.

Node.js: From Developer Darling to Hacker’s Tool

Node.js is an open-source JavaScript runtime, trusted for its flexibility building both front- and back-end applications.

Unfortunately, the very characteristics that make Node.js a favorite among developers—cross-platform compatibility, command-line script execution, and seamless integration—are also appealing to cybercriminals.

Overview of the malvertising campaign leveraging Node.jsOverview of the malvertising campaign leveraging Node.js
Overview of the malvertising campaign leveraging Node.js

Attackers are blending malicious Node.js scripts with legitimate applications, sidestepping conventional security measures.

While Python, PHP, and other scripting languages remain widely abused, the uptake of Node.js in malware delivery marks a significant shift in attacker tactics.

A notable ongoing threat involves a malvertising campaign targeting cryptocurrency enthusiasts. It entices users to visit fraudulent sites via seemingly legitimate ads, then lures them into downloading a fake installer.

This installer, typically disguised as cryptocurrency trading software, contains a malicious DLL that sets up persistence on the victim’s machine via scheduled tasks and PowerShell commands.

Excerpts from the script that gathers and exfiltrates data

Once active, the malware excludes itself from Windows Defender scans, collects detailed system and user data—including BIOS, OS version, network adapters, and even browser credentials—and transmits this information to a command-and-control (C2) server controlled by the attackers.

Payload Delivery and Execution via Node.js

After gathering and exfiltrating data, the attackers deliver a secondary payload: an archive containing Node.js (node.exe), a compiled JavaScript file (JSC), and supporting modules.

The malicious JavaScript is executed, launching routines that may steal further credentials, install additional malware, or set up persistent remote access.

Command line used to launch the JSC file

Beyond packaged executables, attackers are also leveraging Node.js for inline JavaScript execution. In some cases, attackers trick users into running PowerShell commands that download Node.js and immediately execute JavaScript code.

Excerpts from the malicious script, highlighting core HTTP functions

This code maps corporate networks, identifies high-value assets, and disguises outbound traffic as legitimate, making detection even harder.

Security experts urge organizations to:

  • Educate users on the dangers of downloading software from unverified sources.
  • Monitor for unexpected node.exe and PowerShell activity.
  • Enforce script logging and endpoint protection.
  • Restrict outbound connections to suspicious domains and employ robust firewall rules.

With Node.js malware techniques growing in sophistication and frequency, vigilance and proactive defense are essential for safeguarding sensitive information in today’s evolving cybersecurity landscape.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Seamless AI Communication: Microsoft Azure Adopts Google’s A2A Protocol

Microsoft has announced its support for the Agent2Agent (A2A) protocol, an open standard developed in…

5 minutes ago

Radware Cloud Web App Firewall Flaw Allows Attackers to Bypass Security Filters

Security researchers have uncovered two critical vulnerabilities in Radware’s Cloud Web Application Firewall (WAF) that…

15 minutes ago

ESET Reveals How to Spot Fake Calls Demanding Payment for ‘Missed Jury Duty’

ESET, a leading cybersecurity firm, has shed light on one particularly insidious scheme: fake calls…

36 minutes ago

Researchers Turn the Tables: Scamming the Scammers in Telegram’s PigButchering Scheme

Cybersecurity specialists have devised an innovative approach to combat an emerging cybercrime called "PigButchering" on…

2 hours ago

New Spam Campaign Leverages Remote Monitoring Tools to Exploit Organizations

A sophisticated spam campaign targeting Portuguese-speaking users in Brazil has been uncovered by Cisco Talos,…

3 hours ago

New Attack Exploits X/Twitter Ad URL Feature to Deceive Users

Silent Push Threat Analysts have recently exposed a sophisticated financial scam leveraging a vulnerability in…

3 hours ago