Malicious Package Affecting apintergrationpost package, versions *

apintergrationpost is a malicious package. This package conceals a Linux remote access trojan (RAT) called MYRA. The package's documentation claims it is designed for "authorized red team exercises and EDR validation." Regardless of the publisher's intent, it should be treated as malicious.

The payload is designed to establish communications with an external command and control (C2) server to receive commands. During the installation phase, the package compiles a native C rootkit, forces root privileges, and installs system dependencies. The RAT masquerades as a systemd service, establishes multiple independent persistence mechanisms, supports fileless execution, and provides the operator with interactive PTY shell access and live screen streaming. Furthermore, it employs an LD_PRELOAD file hiding rootkit to conceal its artifacts from standard system enumeration tools.

Notes:

• The install scripts rely on Linux-native build tools (build-essential) and require root access to execute fully.

• The C2 framework connects to a private VMware network address, which is unusual for public supply chain malware and suggests either the targeting of a specific network segment or an accidental public release.

• Once deployed, the RAT runs as a detached background process independent of npm. Killing the parent installation shell will not stop the malware from running.

• SafeDep Blog