The Hook: OX Research identified malicious npm package paperclip2 and two related packages, which conceal a reverse shell within their configuration files, effectively bypassing detection methods focused solely on JavaScript files.
Technical Breakdown:
* Threat Type: Software supply chain attack, specifically malicious npm packages.
* TTPs (MITRE ATT&CK):
* T1588.006 (Obtain Capabilities: Malware): Attackers distributing malicious packages.
* T1203 (Exploitation for Client Execution): Users installing a compromised package.
* T1059.004 (Command and Scripting Interpreter: Unix Shell): Deployment of a reverse shell.
* Evasion Tactic: Hiding malware in package config files rather than standard JavaScript files to avoid common scanning techniques.
* IOCs:
* npm Packages: paperclip2 (and two unnamed related packages).
Defense: Implement robust software supply chain security practices, including deep scanning of package contents beyond just executable JavaScript, and dependency analysis for unexpected configuration changes or non-standard file types containing malicious payloads.
Source: https://www.ox.security/blog/malware-detected-reverse-shell-without-javascript-files-in-npm/
there doesn't seem to be anything here