A sophisticated year-long supply chain attack campaign, discovered by Checkmarx and Datadog Security Labs, has been targeting cybersecurity researchers and ethical hackers through compromised development tools and fake proof-of-concept exploits. The threat actor, identified as MUT-1244, has orchestrated a multi-vector attack that has successfully compromised thousands of security professionals’ systems.
Malicious npm Package at the Center of the Campaign
The attack primarily revolves around a compromised npm package called @0xengine/xmlrpc, which was initially published as a legitimate XML-RPC implementation for Node.js in October 2023. The package underwent 16 updates over the course of a year, accumulating approximately 1,790 downloads. The threat actors employed sophisticated code obfuscation techniques to conceal malicious functionality, enabling the package to evade detection by security tools and code reviewers.
Sophisticated Social Engineering and Distribution Methods
The attack infrastructure included 49 fraudulent GitHub accounts created in late 2024, which distributed seemingly legitimate exploit code for various security vulnerabilities. To enhance credibility, the attackers utilized AI-generated profile pictures and conducted a targeted phishing campaign that reached 2,758 researchers and high-performance computing system developers. This multi-pronged approach significantly increased the attack’s success rate and reach.
Technical Impact and Data Exfiltration
Upon successful compromise, the malware deploys a sophisticated backdoor masquerading as an Xsession.auth service. This backdoor operates on a 12-hour cycle, systematically harvesting sensitive information including:
- SSH private keys and configurations
- AWS credentials and access tokens
- Other security-critical system information
Unprecedented Scale of Compromise
According to Datadog’s analysis, the campaign has resulted in the theft of approximately 390,000 sets of credentials. The situation was further complicated by the automatic inclusion of some malicious packages in legitimate vulnerability feeds, including Feedly Threat Intelligence and Vulnmon, which inadvertently amplified the attack’s reach.
While the operation’s success is evident, security researchers remain puzzled by the inclusion of a Monero cryptocurrency miner in the payload, which seems inconsistent with the sophisticated nature of the attack. This detail, combined with the careful targeting of security professionals, suggests possible nation-state involvement or advanced persistent threat (APT) activity. Security experts strongly advise implementing strict verification procedures for third-party packages and PoC exploits, emphasizing the importance of software supply chain security in the current threat landscape.