Malicious ‘oscompatible’ Trojan Discovered in npm Registry

Amid the ever-evolving cybersecurity landscape, a new threat has emerged in the open-source software ecosystem. Packaged under the guise of “oscompatible,” a malicious trojan targeted the npm registry, racking up 380 downloads before detection and removal. The attack was sophisticated, going far beyond a typical security breach.

The nefarious package was uploaded on January 9, 2024, containing a concoction of strange binaries—a potent mix of executable files, a DLL, an encrypted DAT file, and a JavaScript file. Notably, the JavaScript file checked for compatibility, executing a batch script that, upon insufficient admin privileges, launched an executable using PowerShell to induce UAC prompts. This script was highly deceptive, going to great lengths to appear benign, even leveraging revoked certificates to feign legitimacy.

The DLL, cleverly disguised as “msedge.dll,” performed a DLL search order hijacking to decrypt the DAT file, launching “msedgedat.dll.” This DLL, in turn, initiated contact with a remote domain to retrieve a ZIP archive containing the AnyDesk remote desktop software and a secondary payload—a remote access trojan embedded within “verify.dll.” This newly installed trojan could capture sensitive information and execute remote commands.

Upon infiltration, the trojan installed Chrome extensions, manipulated AnyDesk settings, masked the user’s screen, and even disabled Windows shutdown features, all while capturing keyboard and mouse events. With these capabilities, the attackers had free rein to exploit compromised systems.

This onslaught against npm signifies a broader issue within open-source ecosystems: the alarming prevalence of deprecated packages. An investigation by Aqua revealed that an astounding 21.2% of the 50,000 most downloaded npm packages are deprecated, yet they accrue around 2.1 billion weekly downloads. This status quo is highly detrimental, as some maintainers opt to deprecate rather than fix security flaws, leaving users vulnerable.

In response to this disturbing trend, the npm security team has been vigilant, swiftly removing dangerous packages from the registry and publishing placeholders. They encourage users to seek detailed information on security issues like this at the npm security advisories page.

To mitigate threats from such sophisticated RATs, careful vigilance is paramount. Users must approach npm installations with caution, ensuring the trustworthiness of the sources. Moreover, keeping antivirus defenses updated and conducting regular system scans remain critical practices for cybersecurity hygiene.

This revelation about “oscompatible” serves as a stark reminder: Cybersecurity is a constantly shifting battleground. Whether a developer or an end-user, one must remain perpetually cautious and proactive to bolster defenses in the digital domain.