AI-empowered cybercriminals execute ransomware attacks on NX infrastructure
In a recent development, a new ransomware named "PromptLock" has been discovered by the Slovak IT security company Eset. This AI-generated malware, which uses the OpenAI model gpt-oss:20b locally on target systems via the Ollama API, has been found to target user data across various platforms.
The malware was inserted into the installation routine of the NX packages and called various command-line versions of AI tools such as Claude Code, Gemini CLI, and Amazon's coding agent "q". Eight different packages in the Node Package Manager (NPM) were found to be affected, all of which were variants of NX and some of its plugins.
Interestingly, none of these packages have been officially released or approved by the NPM team. They were uploaded between August 26 and 27 by unknown individuals using stolen developer keys. The malware was prompted to bypass security barriers with parameters like "--yolo".
The exact nature and extent of the data theft from these packages is currently unknown. However, it's worth noting that since NX packages are downloaded and installed millions of times a month, it could have affected thousands of systems.
The ransom notes of "PromptLock" use a Bitcoin wallet associated with the mysterious Satoshi Nakamoto, the first recipient of a "block reward". This connection adds a layer of intrigue to the already concerning situation.
The malware showed a keen interest in SSH keys, .env files with potentially sensitive configuration settings, and crypto wallets. This indicates that the primary goal of the attackers may have been to gain access to sensitive user data for financial gain.
In response to this threat, users who may have been affected by the NX attack are advised to follow the guidelines in the Security Advisory on GitHub. These guidelines include rotating GitHub tokens and blocking malicious apps from their account.
On a positive note, members of the professional service your website security PRO are free to attend, and others can currently benefit from an early bird discount. A webinar by your website security on October 29 will explain the pitfalls and opportunities of AI in IT security, providing valuable insights into the rapidly evolving field.
Stay vigilant and secure, and keep your systems updated to protect against such threats.
