Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in xxdxa (npm)

xxdxa

Risk score

92

AI summary

Indexed incident for xxdxa (npm).

Description

The package's sole file i.js (declared as main) is a heavily obfuscated IIFE whose top-level exploit() runs unconditionally when the module is loaded. In a browser context on noviembrenacional.com it reads document.documentElement.outerHTML, base64-encodes it, and POSTs it (body 'type=page_html&data=...') to a hardcoded canarytokens.com endpoint (canarytokens.com/images/terms/e63c36xvesfv8udb0yiy1xztu/contact.php), along with status beacons (start, username, no_user_span, no_nonce, exploit_success, error). When the visitor is a logged-in WordPress user on that site whose username is neither 'JuanCuesta' nor 'noviembrenacional', it fetches /my-account/editar-cuenta/, extracts the save-account-details nonce and referer, and submits a same-origin CSRF POST that overwrites the victim's account email to nyxalor_25@proton.me, then triggers a password reset — an account takeover. For the 'noviembrenacional' admin user it instead POSTs to /members//settings/delete-account/. In Node (no window), the top-level call throws and the catch handler issues fetch(CANARY_URL + '?type=error&msg=...'), leaking a beacon (including the installer's public IP and an error string) to the attacker's canarytokens URL at require/import time. URLs, DOM property names, form field names, endpoints, and the attacker email are hidden via \uXXXX escapes, reversed-string decoding (e.g. '/srebmem/'.split('').reverse().join('') → '/members/'), and dead-code XOR expressions, existing solely to conceal the exfiltration destination and WordPress attack targets.

Technical details

Affected versions

=1.0.3=1.0.2=1.0.4=1.0.5=1.0.7=1.0.1

Indicators

  • affected version=1.0.375%
  • affected version=1.0.275%
  • affected version=1.0.475%
  • affected version=1.0.575%
  • affected version=1.0.775%
  • affected version=1.0.175%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents