Follina a silent Client-Side

Martín Gelbort
(Cybersecurity Researcher & Trainer)


Twitter Facebook linkedin

Oscompatible" NPM package generates Windows system supply chain attack

The "oscompatible" package has been used to deploy a sophisticated remote access Trojan (RAT) on Windows systems. It was released on January 9, 2024 and garnered 380 downloads before being removed from the repository used by NPM. Phylum, a company specializing in software supply chain security, reported that the package contained an executable file, a DLL library and an encrypted DAT file, as well as a JavaScript file.

What is NPM?

Node Package Manager (NPM) is an essential tool in the world of web development, particularly in projects using Node.js, a platform for running JavaScript on the server. As a package manager, NPM allows developers to install, share and manage dependencies (libraries and tools) in their projects in an efficient and organized way.

NPM operates through an online registry, which is a massive collection of public and private software packages. This registry acts as a centralized repository where developers can publish their own packages and access those of others. The variety and quantity of packages available on NPM is enormous, Using NPM simplifies the development process. Developers can quickly install packages with a simple command, incorporating complex functionality without having to write code from scratch. This encourages code reuse and saves valuable time, allowing developers to focus on more innovative and specific aspects of their projects.

Using NPM simplifies the development process. Developers can quickly install packages with a simple command, incorporating complex functionality without having to write code from scratch. This encourages code reuse and saves valuable time, allowing developers to focus on more innovative and specific aspects of their projects.

In addition, NPM manages package versions and dependencies, ensuring that projects are consistent and work correctly in different environments. This is crucial in collaborative development environments, where multiple developers work on the same project.

In summary, NPM is a vital component in the JavaScript development ecosystem, providing an efficient and effective platform for package and dependency management in software projects.

How does the attack work?

The attack starts with the execution of "index.js" which first checks if the platform is Windows and, if so, simply executes the "autorun.bat" file and, if it does not detect Windows, tells the user that it needs to be run specifically on "Windows Server OS".

The "autorun.bat" script first checks if you have administrator privileges and, if not, runs the "cookie_exporter.exe" file and requests privilege escalation before running it. However, if the script was executed and you already had administrator privileges, then nothing would happen.

If you need to elevate privileges, you will do so using "cookie_exporter.exe" is a real Microsoft Edge component used here because it has a valid Authenticode signature. Trying to run the process as administrator should show that Microsoft Edge wants to run as administrator with a User Account Control (UAC) request.

Clicking "Yes" on the UAC prompt will run "cookie_exporter.exe" with administrator privileges. And this is where the attacker uses the DLL search order hijacking tactic. If we recall from earlier, we also have a file called "msedge.dll" in the same directory that was shipped with this exe in the npm package. What is pertinent here is that the executable uses "LoadLibraryExA" to load a DLL named "msedge.dll".

It turns out that "msedge.dll" is also a real component of Microsoft Edge, however, the "msedge.dll" shipped with this package is not the real "msedge.dll". It was signed on 06 NOV 2023 using a certificate that was revoked on 09 MAR 2023. It is not yet clear if these keys are the result of a broader compromise.

Once "msedge.dll" is loaded, it invokes a function called "ExportSpartanCookies". This function does not export Edge cookies. Instead, it opens the encrypted, attacker-supplied file "msedge.dat", decrypts it using a 352-byte XOR key to produce another DLL called "msedgedat.dll" and then executes it. Importantly, it appears that this DLL is loaded into memory and executed from there without first writing to disk.

"msedgedat.dll" makes some requests to a domain called kdark1[.]com and downloads a zip file. There is a part of the code that appears to be designed to identify the need to update the file, indicating that this could be part of an ongoing operation.

The zip file you download contains:

 • ud.exe: An executable that takes control of the screen and displays a fake Windows 10 update animation (copied from, contained in resources.neu). This is Neutralinojs, an alternative to Electron, but has been signed using the same revoked code signing certificate as msedge.dll.

 • AnyDesk.exe: A copy of AnyDesk.

 • Band64.dll: This DLL is injected into Explorer so that the desktop can be hidden using SetWindowBand.

 • RpcTest64.dll: This DLL is injected into winlogon.

 • verify.dll: A DLL encrypted using the same mechanism as msedge.dat.

The verify.dll file is a RAT. After deployment, it performs the following actions:

 • It is recorded as a scheduled task.
 • Receives commands from a remote server using websockets.
 • Install Chrome extensions in Secure Preferences.
 • Configure AnyDesk, hide the screen and disable Windows shutdown.
 • Captures keyboard and mouse events.
 • Collects information about files, browser extensions and browsing history.

The vulnerability exploited by "oscompatible" lies in its ability to pretend to be a legitimate package, which makes it easy for users to install it unnoticed. Once executed, this software performs several malicious actions:

 • Silent Installation: The package is installed without the user's explicit knowledge, taking advantage of security holes in the system or in the installed software.

 • Remote Code Execution: Allows attackers to execute arbitrary code on the infected machine. This means that attackers can perform almost any action on the compromised system, from stealing data to installing more malware.

 • Establishing Backdoors: The biggest threat of this package is its ability to establish backdoors in the system. These backdoors are remote access routes for attackers, allowing them to enter and exit the system at will.

 • Data Collection: Once inside the system, you can collect a wide range of personal and sensitive data, including login credentials, financial information and personal files.

 • Network propagation: The ability of this malware to spread through connected networks exponentially increases its danger, putting at risk not only the initial user but also connected systems.

This complexity and sophistication make "oscompatible" a particularly dangerous threat and difficult to detect and eradicate once it has infected a system.

The impact of "oscompatible" on Windows users is not trivial. Given its ability to give remote access to attackers, the implications range from privacy breaches to the potential theft of confidential and financial information. The magnitude of the problem is accentuated by the popularity of Windows as an operating system, putting millions of users worldwide at risk.


Supply chain attacks represent an emerging and highly disruptive cyber threat. These attacks, which focus on infiltrating organizations through their trusted suppliers and partners, highlight the interconnectedness and dependence modern businesses have on their supply network. The stealthy nature of these attacks makes them particularly dangerous, as attackers can remain undetected for long periods, maximizing the potential for damage.

The recent escalation in the frequency and sophistication of these attacks underscores the need for a robust and proactive security strategy. Companies must go beyond conventional security measures and adopt a holistic approach that includes continuous risk assessment, supplier network monitoring and the implementation of rigorous security controls at all levels of the supply chain.

IT security education and training for employees and partners is also essential, as the human factor is often the weakest link in security.

In short, supply chain attacks require a shift in security mindset from "if it happens" to "when it happens". Preparing for these attacks is not just a matter of implementing the right technology; it also involves fostering a security-aware and resilient culture. By addressing these challenges holistically, organizations can strengthen their security posture and better protect themselves against the increasingly complex threats in today's cybersecurity landscape.