Veracode unravels 12-layer npm attack to find RAT
Veracode discovered two malicious npm packages containing an extraordinarily complex 12-layer attack that used multiple obfuscation techniques, including Unicode characters (Japanese Katakana and Hiragana), binary strings, Base64 encoding, and others. The attack activated immediately when developers ran "npm install" through a postinstall script, making it nearly impossible to avoid once the malicious package was added to a project. The malware attempted to disable Windows Defender by adding its own files to exclusion lists and used memory-only execution to avoid leaving traces on the hard drive.
