LetsDefend: Hijacked NPM Package/Supply Chain Compromise

Michael Koczwara
5 min readJan 3, 2022

Hijacked NPM walkthrough

Preparation

Alert SOC158: Hijacked NPM Malware

Everything looks legit when I do the checks. UA Parser JS has been downloaded from its official site. I couldn't understand what is the problem.

Alert

Threat Intel

First things first so let's check the hash using VT (MD5 hash resolved to SHA256)

  • MD5 Hash: fc724eb2894f34a3aca4b952d2f816cd
  • SHA256 Hash: 7f986cd3c946f274cdec73f80b84855a77bc2a3c765d68897fbc42835629a5d5

https://www.virustotal.com/gui/file/7f986cd3c946f274cdec73f80b84855a77bc2a3c765d68897fbc42835629a5d5/detection

VirusTotal Results

Twitter is the best resource for threat intel and it is always worth checking. Below we can see the post regarding NMP Supply Chain Attacks.

Opendir 185.173.36[.]219 hosting malware

Opendir 185.173.36[.]219 hosting malware

Basic Analysis

Let's grab the executable and detonate the sample using anyrun.

XMRig 6.15.2 cryptominer

--

--