.png)
April 16, 2025
Cybersecurity researchers at Socket have uncovered a malicious npm package designed to seize server control during payment transactions. The package, @naderabdi/merchant-advcash, poses as a legitimate integration for the digital payment platform Advcash (now rebranded as Volet). Embedded within the package is a reverse shell activated after successful payments, allowing attackers to remotely control systems.
Advcash, while a niche platform compared to mainstream services like PayPal, is commonly used in gray-market cryptocurrency exchanges and offshore financial operations – a profile exploited by threat actors to evade scrutiny. Socket's findings underscore a growing trend of malware targeting trusted workflows within payment systems.
The malicious npm module mimics the logic of genuine payment processing, performing SHA-256 hashing, credential verification, and transaction simulations. However, the `url_success()` method – triggered post-payment – executes a reverse shell, connecting victims' servers to an attacker-controlled IP address.
Unlike typical supply-chain attacks activated during installation, this payload delays execution until a transaction's successful completion – a move designed to circumvent static analysis tools and target production environments.
Leveraging Node.js modules like `net` and `child_process`, the shell grants attackers unrestricted access to execute commands, exfiltrate data, or penetrate internal networks.
The package's sophistication lies in its blending of malicious code with legitimate functionality:
“It’s designed to build trust in the module, encouraging developers to integrate it deep within production environments, maximizing the attacker’s reach once the reverse shell is triggered,” noted Socket researchers.
The malicious package, masquerading as a legitimate payment integration, has been reported and removed from npm, but similar threats likely persist.
“It's a reminder for developers and security teams: Blind trust is misplaced. Even packages specifically designed for e-commerce or payments can be Trojan horses for deeper compromises,” Socket concludes.
To protect against such threats, developers and organizations should take the following steps:
Bibliography:
https://www.developer-tech.com/news/masquerading-payment-npm-package-installs-backdoor/
https://app.daily.dev/posts/masquerading-payment-npm-package-installs-backdoor-d1rdq2hqp
https://x.com/Gadget_Ry/status/1912157099045290352
https://app.daily.dev/posts/malicious-npm-package-masquerades-as-advcash-integration-to-install-backdoor-5fodstvhv
https://www.developer-tech.com/news/tag/cybersecurity/
https://www.threads.net/@gadget_ry/post/DIeKzjYIi_g/its-designed-to-build-trust-in-the-module-encouraging-developers-to-integrate-it
https://www.csoonline.com/article/3855530/malicious-npm-packages-found-to-create-a-backdoor-in-legitimate-code.html
https://medium.com/@thecyberghost/malicious-npm-packages-are-hackers-sneaking-into-your-code-baec08942058
https://www.securityweek.com/backdoored-module-removed-npm-registry/
https://wiretor.medium.com/hackers-deploy-malicious-npm-packages-to-steal-solana-wallet-keys-via-gmail-smtp-cfdae9876dec
