Hackers Infect Security Researchers with Malware to Steal WordPress Credentials

For the past year, a cyberattack campaign has been targeting security professionals, including red teamers, penetration testers, and researchers, infecting their systems with malware. The malicious software has been used to steal WordPress credentials and sensitive data while also installing cryptominers on compromised devices. Over 390,000 WordPress accounts have been affected, and multiple systems have been found mining Monero, a cryptocurrency favored for its anonymity.  

Researchers from Datadog Security Labs uncovered the attack in the NPM package repository and on GitHub. Checkmarx, another cybersecurity organization, also recently raised concerns about the same threat. The malicious package masqueraded as an XML-RPC implementation, first appearing in October 2023. Initially functional and legitimate, the package was updated 16 times before being identified as harmful in November 2024.

The attackers adopted a calculated approach to gain trust within the developer community. Early versions of the package performed as advertised, but later updates introduced malicious functionality. 

Once installed, the malware activated every 12 hours, collecting sensitive information such as SSH keys and command-line histories. The stolen data was then exfiltrated through file-sharing platforms like Dropbox or File.io.

This campaign’s impact extended further as unsuspecting security professionals integrated the compromised package into their own tools and projects. This turned the operation into a large-scale supply chain attack,

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.