Cybersecurity researchers have discovered a software supply chain attack that has remained active for over a year on the npm package registry by starting off as an innocuous library and later adding malicious code to steal sensitive data and mine cryptocurrency on infected systems. The package, named @0xengine/xmlrpc, was originally published on October 2, 2023 as a JavaScript-based XML-RPC server and client for Node.js. It has been downloaded 1,790 times to date and remains available for download from the repository. Checkmarx , which discovered the package, said the malicious code was strategically introduced in version 1.3.4 a day later, harboring functionality to harvest valuable information such as SSH keys, bash history, system metadata, and environment variables every 12 hours, and exfiltrate it via services like Dropbox and file.io. "The attack achieved distribution through multiple vectors: direct npm installation and as a hidden dependency in a legitimate-looking repository," security researcher Yehuda Gelb said in a technical report published this week. The second approach involves a GitHub project repository named yawpp (short for "Yet Another WordPress Poster") that purports to be a tool designed to programmatically create posts on the WordPress platform. Its "package.json" file lists the latest version of @0xengine/xmlrpc as a dependency, thereby causing the malicious npm package to be automatically downloaded and installed when users attempt to set up the…Read More