Hackers Infect Security Researchers with Malware to Steal WordPress Credentials

 

For the past year, a cyberattack campaign has been targeting security professionals, including red teamers, penetration testers, and researchers, infecting their systems with malware. The malicious software has been used to steal WordPress credentials and sensitive data while also installing cryptominers on compromised devices. Over 390,000 WordPress accounts have been affected, and multiple systems have been found mining Monero, a cryptocurrency favored for its anonymity.  

Researchers from Datadog Security Labs uncovered the attack in the NPM package repository and on GitHub. Checkmarx, another cybersecurity organization, also recently raised concerns about the same threat. The malicious package masqueraded as an XML-RPC implementation, first appearing in October 2023. Initially functional and legitimate, the package was updated 16 times before being identified as harmful in November 2024. The attackers adopted a calculated approach to gain trust within the developer community. Early versions of the package performed as advertised, but later updates introduced malicious functionality. 

Once installed, the malware activated every 12 hours, collecting sensitive information such as SSH keys and command-line histories. The stolen data was then exfiltrated through file-sharing platforms like Dropbox or File.io. This campaign’s impact extended further as unsuspecting security professionals integrated the compromised package into their own tools and projects. This turned the operation into a large-scale supply chain attack, increasing its reach and potential damage. The investigation revealed 68 systems actively mining Monero, likely using XMRig, a cryptomining tool commonly employed by cybercriminals. 

Monero’s untraceable nature makes it particularly appealing to threat actors. Despite extensive analysis, the identity of those behind the campaign remains unknown. The researchers assigned the group the identifier MUT-1224, an acronym for “Mysterious Unattributed Threat.” The incident highlights the persistent vulnerabilities in open-source software platforms, such as NPM and GitHub, which continue to be exploited for cyberattacks. Developers are urged to exercise caution when incorporating third-party software into their projects, thoroughly vetting code repositories and reviewing package histories to minimize risks. This malware campaign also underscores the growing sophistication of cybercriminals, who are increasingly leveraging supply chain vulnerabilities to expand their reach. 

By infiltrating widely used platforms and tools, attackers can affect a vast number of users and systems. To mitigate these threats, organizations must prioritize robust security practices, including regular monitoring of open-source dependencies, deploying tools for detecting malicious code, and educating teams on the risks associated with third-party software. This proactive approach is essential for safeguarding sensitive data and maintaining system integrity in an era of increasingly complex cyber threats.