Researchers Uncover RAT-Dropping npm Package Targeting Gulp Users

Cybersecurity researchers have uncovered a new suspicious package uploaded to the npm package registry that’s designed to drop a remote access trojan (RAT) on compromised systems.

The package in question is glup-debugger-log, which targets users of the gulp toolkit by masquerading as a “logger for gulp and gulp plugins.” It has been downloaded 175 times to date.

Software supply chain security firm Phylum, which discovered the package, said the software comes fitted with two obfuscated files that work in tandem to deploy the malicious payload.

“One worked as a kind of initial dropper setting the stage for the malware campaign by compromising the target machine if it met certain requirements, then downloading additional malware components, and the other script providing the attacker with a persistent remote access mechanism to control the compromised machine,” it said.

Phylum’s closer examination of the library’s package.json file – which acts as a manifest file outlining all metadata associated with a package – found the use of a test script to run a JavaScript file (“index.js”) that, in turn, invokes an obfuscated JavaScript file (“play.js”).

The second JavaScript file functions as a dropper to fetch next-stage malware, but not before running a series of checks for network interfaces, specific types of Windows operating systems (Windows NT), and, in an unusual twist, the number of files in the Desktop folder.

“They check to ensure that the Desktop folder of the machine’s home directory contains seven or more items,” Phylum explained.

“At first glance, this may seem absurdly arbitrary, but it’s likely that this is a form of user activity indicator or a way to avoid deployment on controlled or managed environments like VMs or brand new installations. It appears the attacker is targeting active developer machines.”

Assuming all the checks go through, it launches another JavaScript configured in the package.json file (“play-safe.js”) to set up persistence. The loader further packs in the capability to execute arbitrary commands from a URL or a local file.

The “play-safe.js” file, for its part, establishes an HTTP server and listens on port 3004 for incoming commands, which are then executed. The server sends the command output back to the client in the form of a plaintext response.

Phylum described the RAT as both crude and sophisticated, owing to its minimal functionality, self-contained nature, and its reliance on obfuscation to resist analysis.

“It continues to highlight the ever-evolving landscape of malware development in the open source ecosystems, where attackers are employing new and clever techniques in an attempt to create compact, efficient, and stealthy malware they hope can evade detection while still possessing powerful capabilities,” the company said.