New Infostealer Targeting Exodus Crypto Wallets via Malicious npm Package

By /

Listen to this Post

2025-02-16

I recently discovered a new infostealer targeting Exodus crypto wallets that was being spread via an npm package named “react-scripts-win”. This malware evaded detection by security tools like SentinelOne, VirusTotal, and sandboxes like ANY.RUN. Many infosec professionals assume that EDR (Endpoint Detection and Response) tools will protect them from malicious software packages, but this case proves otherwise.

How the Malware Works

The malicious npm package “react-scripts-win” was designed to mimic a legitimate package, tricking developers into installing it. Once installed, the package executed a script that extracted sensitive information, such as private keys and wallet credentials, from Exodus wallets. The malware then exfiltrated this data to a remote server controlled by the attackers.

Detection Evasion Techniques

The malware employed several techniques to evade detection:

  1. Obfuscation: The code was heavily obfuscated to avoid detection by static analysis tools.
  2. Delayed Execution: The malicious payload was executed only after a certain period, bypassing sandbox environments that typically run code for a limited time.
  3. Legitimate Traffic Mimicry: The malware communicated with its command-and-control server using protocols and patterns that resembled legitimate traffic, making it harder to detect.

Practice-Verified Commands and Codes

To protect against such threats, here are some practical steps and commands you can use:

1. Verify npm Packages:

npm audit
npm ls react-scripts-win

These commands help identify vulnerabilities and ensure that the installed packages are legitimate.

2. Monitor Network Traffic:

Use tools like `tcpdump` to monitor network traffic for suspicious activity:

sudo tcpdump -i eth0 -w output.pcap

Analyze the captured traffic using Wireshark or similar tools.

3. Check for Unauthorized Processes:

Use `ps` and `netstat` to identify unauthorized processes and network connections:

ps aux | grep react-scripts-win
netstat -tuln | grep ESTABLISHED

4. Implement File Integrity Monitoring:

Use tools like AIDE (Advanced Intrusion Detection Environment) to monitor file integrity:

sudo aide --check

5. Use YARA Rules for Malware Detection:

Create YARA rules to detect known malicious patterns in files:

yara -r malware_rules.yar /path/to/scan

What Undercode Say

In the ever-evolving landscape of cybersecurity, it’s crucial to stay vigilant and proactive. The case of the “react-scripts-win” npm package highlights the importance of not solely relying on EDR tools for protection. Here are some additional Linux and Windows commands to enhance your security posture:

  • Linux:
  • Use `chkrootkit` to check for rootkits:
    sudo chkrootkit
  • Monitor system logs for unusual activity:
    sudo tail -f /var/log/syslog

  • Windows:

  • Use PowerShell to scan for malicious processes:
    Get-Process | Where-Object { $_.Path -like "*react-scripts-win*" }

  • Check for unauthorized startup items:

    Get-CimInstance Win32_StartupCommand

  • General Best Practices:

  • Regularly update your software and dependencies to patch known vulnerabilities.
  • Use multi-factor authentication (MFA) to secure your accounts.
  • Educate your team about the risks of installing untrusted packages and the importance of code reviews.

For more detailed information on securing your software supply chain, refer to OWASP’s Software Supply Chain Security Guidelines.

Stay safe, and always verify before you trust!

References:

Hackers Feeds, Undercode AIFeatured Image

Related Posts: