Arti

CloudSEK TRIAD identified a sophisticated npm supply chain attack involving the typosquatted package crypto-javascri, which harvested npm and GitHub credentials and used compromised maintainer accounts to silently republish trojanized packages.

Persistence - The Systemd Implant Following credential theft and payload staging, the binary establishes persistence through: ~/.local/bin/systemd-broker ← copy of the main binary ~/.config/systemd/user/systemd-broker.service

Persistence - The Systemd Implant Following credential theft and payload staging, the binary establishes persistence through: ~/.local/bin/systemd-broker ← copy of the main binary ~/.config/systemd/user/systemd-broker.service

Searching for hex-encoded Python patterns in the binary revealed a continuous string of hexadecimal characters at binary offset 1,709,372 (0x1A1F7C). The string begins with 78daab77f57163626464... - the 78da magic byte is the zlib compression header.

The binary is timestomped to match the mtime of legitimate system binaries, reducing the signal available to filesystem based detectors.

Cloud detection gate: The malware checks for cloud provider metadata endpoints. If no cloud environment is detected, it exits cleanly.

Cloud detection gate: The malware checks for cloud provider metadata endpoints. If no cloud environment is detected, it exits cleanly.

Strace output TOR C2 1cpur2zdsv762uzyoyzma6pvzz4a2xhv64zdouxpjlu3exyks7gh7leyd.onion:80 -> Using Tor as the command-and-control (C2) channel gives the attacker both anonymity and resilience.

The malware bootstraps a full Tor client, builds a circuit to a hidden service, and maintains a heartbeat.

The presence of struct MinerConfig confirms a cryptomining component. The field names (XM_POOL, XM_ADDRESS, XM_MAX_THREADS_HINT) follow XMRig convention.