These packages were deployed by an NPM user named shulkwisec.  The two packages are “baby-electron” and “baby-electrona”. The

Read about Software Supply Chain Red Teaming

submited by
Style Pass
2024-12-28 12:30:04

These packages were deployed by an NPM user named shulkwisec.  The two packages are “baby-electron” and “baby-electrona”.

The two NPM packages only have two files:  the package.json and a javascript file.  The javascript file for both packages has a very simplistic reverse shell embedded in it, which you can see if you browse the file at https://www.npmjs.com/package/baby-electrona?activeTab=code

The person who deployed these malicious packages is a security researcher, CTF player, and bug bounty hacker who uses the handle “ShulkwiSEC”.

I’ve alerted NPM but these packages haven’t been marked as malicious yet, so no security tool could protect you from these malicious packages. Unfortunately, that’s how most software supply chain security tools work:  you have to know that a package is malicious before the tool can protect you.

But in general, it’s a good idea not to install NPM packages blindly.  If you know what to look for, there are definite signals that these packages are dodgy.  Both of these packages have just two files:  package.json and index.js (or main.js).  This is one of several flags that you can use to determine if a package is legit or not.  

Leave a Comment