"Malicious NPM Packages Exfiltrate Hundreds of Developer SSH Keys via GitHub"
"Malicious NPM Packages Exfiltrate Hundreds of Developer SSH Keys via GitHub"
Two malicious packages on the NPM package registry use GitHub to store Base64-encrypted SSH keys stolen from developer systems. One module was downloaded 412 times, and the other was downloaded 1,281 times before being removed by the NPM maintainers. The software supply chain security company ReversingLabs, which made the discovery, noted that there were eight different versions of one module and more than 30 versions of the other. Both modules run a postinstall script after installation, with each capable of retrieving and executing a different JavaScript file.