MUT-8694: An NPM and PyPI Malicious Campaign Targeting Windows Users

Datadog’s CLI tool GuardDog is designed to detect malicious packages across PyPI, npm, and Go modules. On October 10 it identified a new threat within the PyPI ecosystem.

The package was named larpexodus (version 0.1), and on investigation was found to execute a PowerShell command that downloaded and executed a Windows PE32 binary from github[.]com/holdthaw/main/CBLines.exe. Analysis of the binary confirmed it was infostealer malware, referred to as Blank Grabber, compiled from an open source project hosted on Github. Exploration of the GitHub repository revealed another commodity stealer sample, this time compiled from the open source Skuld Stealer project.

After further analysis of our dataset, we found the same binary downloader in multiple packages hosted on npm, indicating a broader campaign involving multiple package ecosystems. The malicious packages on both npm and PyPi masquerade as legitimate packages, often through the use of typosquatting.

Datadog is tracking this cluster of threat activity as MUT-8694. We use the MUT (mysterious unattributed threat) designation to track clusters unattributed to a known threat actor. The use of numerous packages and involvement of several malicious users suggests MUT-8694 is persistent in their attempts to compromise developers.

Leave a Comment