We recently identified a sophisticated supply chain attack vector in the npm ecosystem. The package "express-cookie-parser" impersonates the popular "cookie-parser" but with a critical difference: unlike most malicious packages that trigger during installation, this one maintains perfect API compatibility and only executes its payload when loaded by the application at runtime.

Key findings:

- Uses a domain generation algorithm (DGA) with SHA256 hash to create C2 domains - Self-deletes and removes references from the original index.js - Downloads a "startup.js" payload to Google Chrome's user data directory - Executes using the Node executable in path

This represents a concerning evolution in supply chain attacks, as it avoids detection during installation and security scanning. The npm team acted quickly to remove the package once reported.

We're also working on dynamic analysis tools for open source packages to better detect these types of sophisticated threats. Happy to answer any questions about our methodology or findings!