A year-long supply chain campaign discovered by Checkmarx and Datadog Security Labs, attributed to threat actor MUT-1244, targeted cybersecurity researchers through a backdoored npm package and fake GitHub PoC exploits. The threat actor, identified as MUT-1244, has orchestrated a multi-vector attack that has successfully compromised thousands of security professionals’ systems.
Malicious npm Package at the Center of the Campaign
The attack primarily revolves around a compromised npm package called @0xengine/xmlrpc, which was initially published as a legitimate XML-RPC implementation for Node.js in October 2023. The package underwent 16 updates over the course of a year, accumulating approximately 1,790 downloads. The threat actors employed sophisticated code obfuscation techniques to conceal malicious functionality, enabling the package to evade detection by security tools and code reviewers.
49 Fake GitHub Accounts and AI-Generated Profiles: Distribution Infrastructure
The attack infrastructure included 49 fraudulent GitHub accounts created in late 2024, which distributed seemingly legitimate exploit code for various security vulnerabilities. To enhance credibility, the attackers utilized AI-generated profile pictures and conducted a targeted phishing campaign that reached 2,758 researchers and high-performance computing system developers. This multi-pronged approach significantly increased the attack’s success rate and reach.
Technical Impact and Data Exfiltration
Upon successful compromise, the malware deploys a sophisticated backdoor masquerading as an Xsession.auth service. This backdoor operates on a 12-hour cycle, systematically harvesting sensitive information including:
- SSH private keys and configurations
- AWS credentials and access tokens
- Other security-critical system information
390,000 Credentials Stolen: Scope and Feedly/Vulnmon Propagation
According to Datadog’s analysis, the campaign has resulted in the theft of approximately 390,000 sets of credentials. The situation was further complicated by the automatic inclusion of some malicious packages in legitimate vulnerability feeds, including Feedly Threat Intelligence and Vulnmon, which inadvertently amplified the attack’s reach.
The Monero miner inclusion in the payload is anomalous given the campaign’s targeting sophistication — it suggests either financial opportunism layered on top of an intelligence-collection objective, or APT actors using commodity components to complicate attribution. Security researchers should treat any PoC exploit repository from unknown GitHub accounts with suspicion, verify npm packages by auditing git history for obfuscated updates across versions, and rotate SSH keys and cloud credentials on any system that installed @0xengine/xmlrpc.
