April 16, 2025

Malicious NPM Package Poses as Payment Integration

Listen to this article as Podcast
0:00 / 0:00
Malicious NPM Package Poses as Payment Integration

Malicious NPM Package Masquerades as Payment Integration, Installs Backdoor

Cybersecurity researchers at Socket have uncovered a malicious npm package designed to seize server control during payment transactions. The package, @naderabdi/merchant-advcash, poses as a legitimate integration for the digital payment platform Advcash (now rebranded as Volet). Embedded within the package is a reverse shell activated after successful payments, allowing attackers to remotely control systems.

Advcash, while a niche platform compared to mainstream services like PayPal, is commonly used in gray-market cryptocurrency exchanges and offshore financial operations – a profile exploited by threat actors to evade scrutiny. Socket's findings underscore a growing trend of malware targeting trusted workflows within payment systems.

The malicious npm module mimics the logic of genuine payment processing, performing SHA-256 hashing, credential verification, and transaction simulations. However, the `url_success()` method – triggered post-payment – executes a reverse shell, connecting victims' servers to an attacker-controlled IP address.

Unlike typical supply-chain attacks activated during installation, this payload delays execution until a transaction's successful completion – a move designed to circumvent static analysis tools and target production environments.

Leveraging Node.js modules like `net` and `child_process`, the shell grants attackers unrestricted access to execute commands, exfiltrate data, or penetrate internal networks.

The package's sophistication lies in its blending of malicious code with legitimate functionality:

  • Realistic Functions: Validates currencies, hashes payment tokens, and dynamically retrieves API credentials.
  • Context-Specific Activation: The reverse shell is triggered only during payment callbacks, a moment of lowered vigilance.
  • Minimal Footprint: No errors or standalone scripts; malicious logic is embedded within standard HTTP response handling.

“It’s designed to build trust in the module, encouraging developers to integrate it deep within production environments, maximizing the attacker’s reach once the reverse shell is triggered,” noted Socket researchers.

The malicious package, masquerading as a legitimate payment integration, has been reported and removed from npm, but similar threats likely persist.

“It's a reminder for developers and security teams: Blind trust is misplaced. Even packages specifically designed for e-commerce or payments can be Trojan horses for deeper compromises,” Socket concludes.

Protective Measures and Recommendations

To protect against such threats, developers and organizations should take the following steps:

  • Carefully vet NPM packages before integration, including scrutinizing authors, code, and dependencies.
  • Employ static code analysis and vulnerability scanning tools.
  • Implement robust security policies and processes for software development.
  • Regularly update software and dependencies to patch known vulnerabilities.
  • Monitor network traffic and system activities to detect suspicious behavior.

Bibliography:

https://www.developer-tech.com/news/masquerading-payment-npm-package-installs-backdoor/
https://app.daily.dev/posts/masquerading-payment-npm-package-installs-backdoor-d1rdq2hqp
https://x.com/Gadget_Ry/status/1912157099045290352
https://app.daily.dev/posts/malicious-npm-package-masquerades-as-advcash-integration-to-install-backdoor-5fodstvhv
https://www.developer-tech.com/news/tag/cybersecurity/
https://www.threads.net/@gadget_ry/post/DIeKzjYIi_g/its-designed-to-build-trust-in-the-module-encouraging-developers-to-integrate-it
https://www.csoonline.com/article/3855530/malicious-npm-packages-found-to-create-a-backdoor-in-legitimate-code.html
https://medium.com/@thecyberghost/malicious-npm-packages-are-hackers-sneaking-into-your-code-baec08942058
https://www.securityweek.com/backdoored-module-removed-npm-registry/
https://wiretor.medium.com/hackers-deploy-malicious-npm-packages-to-steal-solana-wallet-keys-via-gmail-smtp-cfdae9876dec