Malicious npm and PyPi Packages Exfiltrate SSH Keys From Server

JavaScript and Python both have their own package repositories called npm (Node Package Manager) and PyPi (Python Package Index), respectively.

They act as key centers for publishing and exchanging reusable code libraries and packages by developers.

Sonatype Security Research tracks the npm registry campaign extracting Kubernetes configs and SSH keys via npm packages. Their automated system found 14 malicious packages, which were promptly reported to npm registry admins by researchers.

Sonatype researchers Carlos Fernandez and Gustavo Simoes find deceptive packages mimicking JavaScript libraries containing obfuscated code to steal sensitive files post-installation.


Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Tracked packages

Here below, we have mentioned all the packages that are tracked as “Sonatype-2023-4000” and “Sonatype-2023-4004”:-

  • @am-fe/hooks
  • @am-fe/provider
  • @am-fe/request
  • @am-fe/utils
  • @am-fe/watermark
  • @am-fe/watermark-core
  • @dynamic-form-components/mui
  • @dynamic-form-components/shineout
  • @expue/app
  • @fixedwidthtable/fixedwidthtable
  • @soc-fe/use
  • @spgy/eslint-plugin-spgy-fe
  • @virtualsearchtable/virtualsearchtable
  • shineouts

Technical analysis

Batches of packages with under 200 downloads shared the commonality of using “” in their accounts.

The package, named ‘fixedwidthtable,’ links to a non-descriptive ‘typescript-sdk-tools’ GitHub repository, raising the first red flag, as highlighted by Simoes.

fixedwidthtable or fixedwidthtable package (Source – SonaType)

While on the other hand, the package versions include functional code from real open-source packages, with alterations. In the ‘scripts’ folder, experts spot an ‘index.js’ file running obfuscated code.

index.js file
index.js file (Source – SonaType)

Similar code and tactics are found in other campaign packages, and the cybersecurity researchers deobfuscated payloads. 

While the earlier versions, like ‘@am-fe/hooks,’ revealed attacker intentions with unobfuscated payload. Mirroring previous PoC exploits, the script gathers SSH keys, Kubernetes config, and basic system info like:-

  • Username
  • IP
  • Hostname 

Yet, this stealthy data collection and deceptive npm metadata indicate the malicious intent.

Fernandez highlights the risk of unauthorized Kubernetes access, especially if it exploits recent vulnerabilities. The domain app.threatest[.]com resolves to Cloudflare IPs (,, making attribution challenging. 

However, besides this, security analysts found Mandarin comments during their analysis, but the comments are not conclusive of a specific threat actor.

Researchers tried contacting package publishers via metadata and WHOIS records but received no response. Given the current findings, analysts still consider these packages malicious.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.