Typosquatting Campaign Delivers R77 Rootkit Through Malicious JavaScript Package

Researchers at ReversingLabs have discovered a new supply chain attack on the npm platform. The typosquatting attack involved a malicious package called node-hide-console-windows that downloaded a Discord bot, which then planted an open-source rootkit called r77. This is the first time that a malicious open-source package delivering rootkit functionality has been found, indicating that open-source projects may now be targeted for distributing malware. The attackers used the typosquatting technique to ensure the malicious package resembled the legitimate package's page. The malicious package had 10 versions published, just like the legitimate one. The package attracted attention due to suspicious behavior, including a newly created maintainer account and untrustworthy code. The executable fetched by the package was identified as DiscordRAT 2.0, an open source Trojan. The DiscordRAT allows malicious actors to control infected hosts and even launch the r77 rootkit on the victim's machine. The r77 rootkit is a fileless ring 3 rootkit that can hide files and processes. It is worth noting that the package also downloaded a malicious payload disguised as a Visual Studio Code update.