Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through malicious packages disguised as legitimate tools. The threat actor, “k303903,” compromised hundreds of machines before the packages were removed. 

Subsequent analysis revealed that “k303903” likely operates under the aliases “shegotit2” and “pressurized,” all exhibiting identical or highly similar tactics, techniques, and procedures (TTPs) to infiltrate the npm ecosystem with malware by demonstrating the persistent threat of supply chain attacks and the need for heightened security measures within the development ecosystem.

A malicious campaign targeting npm developers delivered the Skuld infostealer, marking the second such attack in two months, which closely resembles a previous attack on Roblox developers, demonstrating the attackers’ adaptability. 

The threat actors employed typosquatting and obfuscation techniques to compromise development machines and exfiltrate sensitive data, which showcases a recurring pattern where attackers quickly adapt their strategies after initial success, reintroducing threats with new packaging and distribution methods. 

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

The December 2024 campaign leveraged common deployment methods and relied on commodity malware, highlighting the consistent use of deceptive tactics by these threat actors.

The code snippet reveals a malicious download and execution process by utilizing libraries like `fs-extra`, `path`, `node-fetch`, and `child_process` to download a malicious binary from a URL disguised to appear legitimate and then execute it. 

Obfuscator.io was used to obfuscate the code, making initial detection challenging. Once installed, the malware fetches and executes the payload (Skuld infostealer) under the filename download.exe.

Actor k303903 used typosquatting to upload malicious npm packages that resembled popular libraries, which deceived developers into installing them, enabling data exfiltration via a Discord webhook and command and control establishment. 

Leveraging legitimate-looking commands and a trusted service (replit.dev) further obfuscated the malicious intent, which highlights the importance of careful package review before installation.

Malicious npm packages were recently downloaded over 600 times, stealing credentials and sensitive data from affected users. Despite the npm registry’s swift removal, the impact was substantial. 

According to Socket, the attack, resembling a November 2024 incident, demonstrates the rapid evolution of threat actors who reuse malware (like Skuld) and refine their deception techniques. 

To mitigate this, developers should implement a layered security approach. Employing automated tools can proactively scan for and block malicious dependencies within the development lifecycle, intercepting threats before they compromise systems.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free