Sophisticated Supply Chain Campaign Targets Cybersecurity Researchers Through Compromised Tools

CyberSecureFox 🦊

A sophisticated year-long supply chain attack campaign, discovered by Checkmarx and Datadog Security Labs, has been targeting cybersecurity researchers and ethical hackers through compromised development tools and fake proof-of-concept exploits. The threat actor, identified as MUT-1244, has orchestrated a multi-vector attack that has successfully compromised thousands of security professionals’ systems.

Malicious npm Package at the Center of the Campaign

The attack primarily revolves around a compromised npm package called @0xengine/xmlrpc, which was initially published as a legitimate XML-RPC implementation for Node.js in October 2023. The package underwent 16 updates over the course of a year, accumulating approximately 1,790 downloads. The threat actors employed sophisticated code obfuscation techniques to conceal malicious functionality, enabling the package to evade detection by security tools and code reviewers.

Sophisticated Social Engineering and Distribution Methods

The attack infrastructure included 49 fraudulent GitHub accounts created in late 2024, which distributed seemingly legitimate exploit code for various security vulnerabilities. To enhance credibility, the attackers utilized AI-generated profile pictures and conducted a targeted phishing campaign that reached 2,758 researchers and high-performance computing system developers. This multi-pronged approach significantly increased the attack’s success rate and reach.

Technical Impact and Data Exfiltration

Upon successful compromise, the malware deploys a sophisticated backdoor masquerading as an Xsession.auth service. This backdoor operates on a 12-hour cycle, systematically harvesting sensitive information including:

  • SSH private keys and configurations
  • AWS credentials and access tokens
  • Other security-critical system information

Unprecedented Scale of Compromise

According to Datadog’s analysis, the campaign has resulted in the theft of approximately 390,000 sets of credentials. The situation was further complicated by the automatic inclusion of some malicious packages in legitimate vulnerability feeds, including Feedly Threat Intelligence and Vulnmon, which inadvertently amplified the attack’s reach.

While the operation’s success is evident, security researchers remain puzzled by the inclusion of a Monero cryptocurrency miner in the payload, which seems inconsistent with the sophisticated nature of the attack. This detail, combined with the careful targeting of security professionals, suggests possible nation-state involvement or advanced persistent threat (APT) activity. Security experts strongly advise implementing strict verification procedures for third-party packages and PoC exploits, emphasizing the importance of software supply chain security in the current threat landscape.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.