Tuesday, April 15, 2025
Follow us On Linkedin
HomeCyber Security NewsNascent Malware Attacking npm, PyPI, and RubyGems Developers

Nascent Malware Attacking npm, PyPI, and RubyGems Developers

Cyber Security NewsMalware

Published on

By Gurubaran
Nascent Malware Attacking npm, PyPI, and RubyGems Developers

Supply Chain Attack Prevention

SIEM as a Service

Follow Us on Google News

Phylum analyzes source code and metadata for all registry-pushed packages. This year, in millions of packages they are aiming to examine nearly a billion files, as this will enable them to get unique insights into package behaviors across ecosystems.

That’s why it has been actively tracking various recent malware campaigns, from fake npm package updates to GCC binary impostors and complex data exfiltration setups.

Besides this, the cybersecurity analysts at Phylum recently reported about Nascent malware attacking developers of the following platforms and programs:-

- Advertisement - Google News

Nascent Malware on Registry packages

Phylum’s automated platform alerted researchers about the “kwxiaodian” package on September 3, 2023, and in its setup.py the following contents were revealed:-

Contents of setup.py (Source – Phylum)

Simultaneously, they received alerts about harmful npm packages executing specific actions in the package.json preinstall hook, and then the obfuscated index.js file was executed.

Here below, we have mentioned all the things that this package does:-

  • The network interface info is gathered initially.
  • Basic information like OS details, free memory available, etc., were also collected.
  • If the platform is not macOS, then the execution is automatically terminated.
  • Lastly, it encrypts and sends data to the attacker’s server.

The Rubygems package mirrors PyPI and npm patterns, triggering automatic execution via the “Rakefile” to collect and send host information to a remote server.

Ruby platform data collection (Source – Phylum)

Ecosystems Commonalities 

However, apart from all these things, the campaigns targeting npm, PyPI, and RubyGems are identical, as revealed by the researchers upon close review analysis.

Here below, we have mentioned all the commonalities:-

  • On 81.70.191.194, all the packages communicate with a service.
  • Collects and sends system info to this service.
  • On macOS systems, the packages execute only.
  • Similar versions across ecosystems were published.

Timeline

Full package timeline (Source – Phylum)

Malware is widespread in open-source registries, and despite security awareness, developers often pull and execute packages from unknown sources. Making manual audits impractical due to the increasing number of dependencies.

In this scenario, using automated solutions to detect and block packages violating defined policies is a wise approach to managing malware and other risks.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Cyber Security News

Microsoft Teams File Sharing Unavailable Due to Unexpected Outage

Microsoft Teams users across the globe are experiencing significant disruptions in file-sharing capabilities due...
Cloud

Cloud Misconfigurations – A Leading Cause of Data Breaches

Cloud computing has transformed the way organizations operate, offering unprecedented scalability, flexibility, and cost...
cyber security

Security Awareness Metrics That Matter to the CISO

Security awareness has become a critical component of organizational defense strategies, particularly as companies...
cyber security

New ‘Waiting Thread Hijacking’ Malware Technique Evades Modern Security Measures

Security researchers have unveiled a new malware process injection technique dubbed "Waiting Thread Hijacking"...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

Register Now

More like this

Cyber Security News

Microsoft Teams File Sharing Unavailable Due to Unexpected Outage

Microsoft Teams users across the globe are experiencing significant disruptions in file-sharing capabilities due...
Cloud

Cloud Misconfigurations – A Leading Cause of Data Breaches

Cloud computing has transformed the way organizations operate, offering unprecedented scalability, flexibility, and cost...
cyber security

Security Awareness Metrics That Matter to the CISO

Security awareness has become a critical component of organizational defense strategies, particularly as companies...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2025 GBHackers On Security - All Rights Reserved