As soon as executed, the malware gathers a variety of delicate info from the developer’s setting. This consists of electronic mail addresses, system particulars, and credentials from CI/CD platforms reminiscent of GitHub Actions, GitLab CI, Jenkins, and CircleCI.
The stolen knowledge is then transmitted to attacker-controlled servers utilizing a number of redundant methods, together with HTTP GET, POST requests, and even WebSocket connections, making certain exfiltration throughout totally different community environments. As a result of the malicious code by no means seems immediately within the npm bundle itself, conventional scanning instruments that target bundle contents fail to flag it.
Operational patterns problem “analysis experiment” declare
Regardless of the brand new waves, PhantomRaven’s core performance has remained largely unchanged, the researchers mentioned. They discovered that 257 out of 259 strains of the malware payload are equivalent throughout all waves, with the one important modification being the command-and-control area used to obtain stolen knowledge.
