Huge cybercrime attack sees 390,000 WordPress websites hit, details stolen

Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
(Image credit: Shutterstock)

  • Researchers found a malicious package on NPM, uploaded a year ago
  • It was benign at first, and introduced malware later via an update
  • The malware stole hundreds of thousands of secrets and installed cryptojackers on dozes of computers

For roughly a year, hackers have been infecting red teamers, penetration testers, security researchers, as well as other hackers, with a piece of malware that steals WordPress credentials and other sensitive data, and installs cryptominers on compromised endpoints.

As a result, login credentials for some 390,000 WordPress accounts were stolen, and dozens of systems were found mining Monero.

Cybersecurity researchers Datadog Security Labs spotted the attack on the NPM package repository, and in GitHub, after researchers from Checkmarx also sounded the alarm on the same campaign recently.

The package was pretending to be an XML-RPC implementation, and was first uploaded to the repository in October 2023. Until November 2024, when it was finally discovered as malicious, it received 16 updates.

Legitimate at first

Datadog noted ho the attackers were tactical in their approach, first uploading a package that was legitimate and worked as intended. The malicious code was introduced in later versions, and designed to steal SSH keys, bash history, and other data, every 12 hours. The data it collects would get extracted either via Dropbox, or File.io.

To make matters worse, researchers and security pros that would introduce XML-RPC into their own products would just expand the reach of the malware, turning it into a full-blown supply chain attack.

Datadog said that ultimately, the team found 68 compromised systems that were actively mining the Monero currency. Monero, with the XMR ticker, is most often mined with a cryptojacker called XMRig. This is a popular currency among thieves since it’s fully anonymous and very difficult to trace.

The identity of the threat actors was not discovered, but the researchers dubbed the group MUT-1224, which is short for Mysterious Unattributed Threat.

Major code repositories remain a vital platform for cybercriminals, the researchers concluded, stressing that developers should be extra careful when using open-source software.

Via BleepingComputer

You might also like

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.