Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label NPM Package. Show all posts
RAT
BeaverTail malware North Korea Hackers NPM Package RAT

North Korean Hackers Use 11 Malicious npm Packages to Propagate BeaverTail Malware

 

The North Korean threat actors behind the ongoing Contagious Interview campaign are expanding their tentacles on the npm ecosystem by distributing more malicious packages including the BeaverTail malware and a new remote access trojan (RAT) loader. 

"These latest samples employ hexadecimal string encoding to evade automated detection systems and manual code audits, signaling a variation in the threat actors' obfuscation techniques," Socket security researcher Kirill Boychenko noted in a report. 

The following packages were downloaded over 5,600 times before being removed: empty-array-validator, twitterapis, debugger-vite, snore-log, core-pino, events-utils, icloud-cod, cln-logger, node-clog, and consolidate-log. 

The announcement comes nearly a month after six npm packages were discovered to be distributing BeaverTail, a JavaScript stealer that can also deploy a Python-based backdoor known as InvisibleFerret. The campaign's ultimate purpose is to breach developer systems using the premise of a job interview, steal sensitive data, syphon financial assets, and maintain long-term access to compromised networks. 

The newly discovered npm packages masquerade as utilities and debuggers, with one of them - dev-debugger-vite - utilising a command-and-control (C2) address previously identified by SecurityScorecard as being used by the Lazarus Group in a campaign called Phantom Circuit in December 2024.

What distinguishes these packages is that some of them, like events-utils and icloud-cod, are connected to Bitbucket repositories rather than GitHub. Furthermore, the icloud-cod package was discovered to be located in a directory called "eiwork_hire," confirming the threat actor's usage of interview-related themes to activate the infection. 

An investigation of the packages, cln-logger, node-clog, consolidate-log, and consolidate-logger, revealed slight code-level differences, indicating that the attackers are publishing numerous malware variants to boost the campaign's success rate.

Regardless of the alterations, the malicious code encoded in the four packages acts as a remote access trojan (RAT) loader, capable of spreading a next-stage payload from a remote server. Cybersecurity expert Boychenko stated that the exact nature of the malware being disseminated via the loader is unknown at this time due to the C2 endpoints no longer serving payloads. 

"The code functions as an active malware loader with remote access trojan (RAT) capabilities," Boychenko noted. "It dynamically fetches and executes remote JavaScript via eval(), enabling North Korean attackers to run arbitrary code on infected systems. This behavior allows them to deploy any follow-up malware of their choosing, making the loader a significant threat on its own.” 

The findings highlight the persistent nature of Contagious Interview, which, in addition to posing a long-term threat to software supply chains, has adopted the infamous ClickFix social engineering approach to propagate malware. 

The discovery of the new npm packages comes as South Korean cybersecurity firm AhnLab outlined a recruitment-themed phishing effort that downloads BeaverTail, which is subsequently used to launch a previously undocumented Windows backdoor known as Tropidoor. The firm's analysis of data shows that BeaverTail is actively targeting developers in South Korea.
Read more »
Unauthorized access
Data Breach Exfiltration Malicious actor Malware Developers NPM Package Platform PyPI Package SSH Third Party Apps Unauthorized access

Unmasking the Surge of Malicious NPM and PyPI Packages

Cyberattacks originating from malicious packages on widely used software repositories like NPM and PyPI have increased significantly recently, as seen in the cybersecurity landscape. Due to the abundance of libraries and modules that they host, these platforms are essential tools for developers. They speed up the development process. Alarm bells have, however, gone off in the tech community due to an increase in fraudulent parcels.

According to reports, these repositories have been infiltrated by a steady supply of malicious packages, leaving developers who aren't vigilant for risks online exposed. These packages' attackers have demonstrated an astounding level of intelligence, using a number of evasion techniques.

These malicious packages, according to a recent analysis by cybersecurity specialists, have been skillfully created to look like legitimate ones, frequently utilizing names and descriptions that closely resemble well-known libraries. They are able to evade detection thanks to this camouflage, which makes it more difficult for developers to discern between legitimate and harmful services.

SSH keys were stolen in one well-known instance using a number of malicious PyPI and NPM packages. The attackers injected code that exfiltrated private information from unwary users by taking advantage of flaws in the repositories. There have been urgent requests for increased security measures on social platforms as a result of this tragedy.

The repercussions of falling for these deceitful goods might be dire. Developers who unwittingly incorporate them into their applications run the danger of opening up crucial systems to unauthorized access, data breaches, and other nefarious acts. In addition to end users' safety, this compromises the integrity of the affected apps.

Both the cybersecurity community and those that administer these repositories are stepping up their efforts to put effective security measures in place to counter this growing threat. Some of the tactics used to quickly detect and eliminate dangerous content include ongoing monitoring, automated scanning, and careful package vetting.

Developers should carefully select and incorporate third-party packages into their projects to mitigate the risk of malicious packages. Verifying the legitimacy of a package by checking its source, history, and popularity can help.

The surge of malicious packages on platforms like NPM and PyPI underscores the evolving nature of cyber threats. The tech community is working to fortify these repositories, but developers must remain vigilant and adopt best practices to protect their projects and the wider ecosystem from potential breaches. Collective vigilance and proactive measures are essential to curb this growing menace.
Read more »
Technology
Cyber Victim Cyberattacks Cybersecurity GitHub lazarus Malicious Threat NPM Package Technology

GitHub Issues Alert on Lazarus Group's Social Engineering Attack on Developers

 


According to a security alert issued by GitHub, this social engineering campaign is designed to compromise developers' accounts in the blockchain, cryptocurrency, online gambling, and cybersecurity industries. This is done through social engineering techniques. 

The campaign was reportedly linked to the Lazarus hacking group sponsored by the North Korean state. It was also linked to the groups Jade Sleet and TraderTraitor (both tools of Microsoft Threat Intelligence). There was a report released by the United States government in 2022 which detailed threat actors' tactics. 

Hacking group targets cryptocurrency companies and cybersecurity researchers to eavesdrop on them and steal their coins. The Lazarus Group is a cybercrime organization that targets cryptocurrency companies and cyber researchers using various names, such as Jade Sleet and TraderTraitor. Cyberespionage and cryptocurrency theft are two of the group's activities. According to GitHub, no GitHub accounts were compromised in this campaign, nor were any npm systems accounts.  

Lazarus Group reportedly uses legitimate GitHub or social media accounts that have been compromised or fake personas to pose as developers or recruiters on the platforms where they operate. This includes GitHub or social media. There is a wide range of personas designed to engage individuals in targeted industries. Ultimately, these personas will lead individuals to another platform, such as WhatsApp, through conversation. 

It is normally threat actors who initiate collaboration on a project. They invite targets to clone a GitHub repository related to media players and cryptocurrency trading tools after establishing trust between them. There are, however, malicious NPM dependencies on these projects that can download additional malware onto the devices of their targets. 

In June 2022, Phylum published a report on NPM packages that have been based on malicious code, with details about how they behave despite GitHub not providing details about the malware's specific behavior. Phylum reports that these packages function as malware downloaders that connect to remote websites via a browser. The download of additional payloads onto the infected machine. Several limitations in the payload reception process meant that researchers were unable to analyze the final malware delivered. 

As a consequence of this campaign, all NPM accounts and GitHub accounts associated with it have been suspended by GitHub. Additionally, they have published a list of indicators that can be used to identify whether a campaign is successful, including domains, GitHub accounts, and NPM packages. GitHub says the campaign was not intended to damage their systems. 

Lazarus has run previous social engineering campaigns similar to this one in the past. A few of these attacks included the targeting of security researchers in January 2021, a fake company website that was created in March 2021, and a fake email campaign in July 2021. As a result of these attacks, threat actors were effective at creating elaborate personas and distributing malware disguised as exploits for vulnerabilities. 

Lazarus is a group that targets cryptocurrency companies and developers to fund initiatives for the North Korean government. Several million dollars worth of cryptocurrency was stolen from them due to their involvement in the crime. It is worth noting that the theft of over 617 million dollars worth of Ethereum and USDC tokens was reported in an attack recently on Axie Infinity. 

Aside from fund theft and phishing scams, Lazarus has allegedly employed other tactics as well, including sending malicious PDF files disguised as job offers to targets that could compromise their bank accounts. In this case, the group has successfully delivered malware using false employment opportunities as a method of delivering their malware. 

Those in the target industries and developers should remain vigilant against the various types of social engineering attacks that are out there. Generally, individuals can protect themselves and their devices from malicious software and potentially compromised devices if they are aware of the tactics used by threat actors and adopt good cybersecurity practices, such as verifying the authenticity of requests and avoiding links and downloads that appear suspicious or unknown. 

Attack Process by the Lazarus Group


To begin with, the threat actor claims to be a developer or recruiter. He poses as them on GitHub and other social media websites related to the developer or recruiter niche. For contacting victims, they use their accounts as well as compromised accounts by Jade Sleet exploited by the group. 

There may be instances when the actor initiates contact on one platform and switches to another platform after a few minutes. When a threat actor connects with a victim he or she invites the victim to collaborate on a GitHub repository and uses the target as a means of cloning and executing the contents of the repository. The attacker may send the malicious software directly through a messaging service or file-sharing service, without inviting people to the repository and cloning it, in some cases. 

A malicious npm dependency has been included in the GitHub repository for the software. In addition to media players, the threat actor uses tools for selling cryptocurrencies in some of the software he builds. In addition to the malicious npm packages, these malicious npm packages also download secondary malware onto the victim's machine. A malicious package will normally not be published until a fake repository invitation is sent to you by an unknown threat actor.  

IOC details have been shared on the GitHub blog along with the suspension of npm and GitHub accounts associated with the campaign. As a practice, the most effective method of avoiding this campaign is to be cautious of social media solicitations for collaboration on or the installation of software that relies on NPM packages or dependencies. 

Lazarus Attacks in The Past 


Cryptocurrency companies and developers have been the target of North Korean hackers for a long time to steal assets needed to fund their country's initiatives. To steal cryptocurrency wallets and funds, Lazarus spreads Trojanized cryptocurrency wallets and exchange apps to target cryptocurrency users. 

It has been revealed that the U.S. Secret Service and the FBI have linked the Lazarus group to the theft of USDC and Ethereum tokens worth over $617 million from the blockchain-based game Axie Infinity by members of the Lazarus group. A malicious laced PDF file was later revealed to have been sent to one of the blockchain engineers by the threat actors, claiming to be a lucrative job offer disguised as a malicious PDF file. In this case, the attack was a result of this. 

Additionally, in 2020, a campaign called "Operation Dream Job" was used to deliver malware to employees at prominent aerospace and defense companies in the US through fake employment opportunities used to spread malware to them.
Read more »
Vulnerabilities and Exploits.
data threat Developers JavaScript NPM Package Vulnerabilities and Exploits.

JavaScript Registry npm at Risk

 

The JavaScript registry npm, a vital resource for developers worldwide, has recently come under scrutiny due to a significant vulnerability known as manifest confusion. This flaw allows attackers to exploit the npm ecosystem, potentially compromising the integrity and security of countless JavaScript packages. The repercussions of such abuse are far-reaching and could have severe consequences for the development community.

The exploit, first discovered by security researchers, highlights a fundamental flaw in the way npm handles package manifests. Package manifests contain essential information about dependencies, versions, and other metadata necessary for proper functioning. However, attackers can manipulate these manifests, tricking npm into installing malicious or unintended packages.

The severity of the issue is further exacerbated by the fact that the exploit affects not only a specific package or a handful of packages but has the potential to impact the entire npm ecosystem. With over one million packages available for public use, developers relying on npm must be vigilant in ensuring the integrity of their dependencies.

The vulnerability arises from a lack of strict validation and enforcement mechanisms in npm's package management process. By crafting specially designed manifests, attackers can exploit the confusion arising from naming similarities and version discrepancies, effectively bypassing security measures and injecting malicious code into legitimate packages.

The consequences of a successful manifest confusion attack are wide-ranging. Developers relying on npm could unwittingly introduce compromised packages into their applications, leading to a variety of security vulnerabilities and potential breaches. This could result in the theft of sensitive user data, unauthorized access to systems, or the disruption of critical services.

The npm development team has been made aware of the vulnerability and is actively working to address the issue. In response to the community's concerns, npm has implemented stricter validation checks and is exploring ways to enhance the package management process to prevent future attacks. However, mitigating the risk entirely will require the cooperation and diligence of package maintainers and developers.

Developers are recommended to manage their dependencies carefully in the interim. Before integration, it is critical to ensure that packages are authentic and intact, that they come from reliable sources, and that they have not been tampered with. Keeping packages updated to the most recent versions and signing up for vulnerability alerts can both reduce the chance of exploitation.

The npm ecosystem, which enables quick and effective software development, is a key tenet of the JavaScript development community. However, the integrity and security of this ecosystem are seriously threatened by the manifest confusion vulnerability. It is essential that npm and the larger development community solve this problem right away, working together to fortify the defenses against possible attacks and secure the future of JavaScript development.




Read more »
python
Bitcoin Crypto Ethereum Hackers Malicious actor malware NPM Package PyPI Package python

An Active Typosquat Attack in PyPI and NPM Discovered

The typosquatting-based software supply chain threat, which targets explicitly Python and JavaScript programmers, is being warned off by Phylum security researchers.

What is Typosquatting?

Cybercriminals that practice typosquatting register domains with purposeful misspellings of the names of popular websites. Typically for malevolent intentions, hackers use this tactic to entice unwary users to other websites. These fake websites could deceive users into inputting private information. These sites can seriously harm an organization's reputation if attacked by these perpetrators. 

PYPI &NPM

Researchers alerted developers to malicious dependencies that contained code to download Golang payloads on Friday, saying a threat actor was typosquatting well-known PyPI packages. 

The Python Software Foundation is responsible for maintaining PyPI, the largest code repository for the Python programming language. Over 350,000 software programs are stored there. Meanwhile, NPM, which hosts over a million packages, serves as the primary repository for javascript programming. 

About the hack

The aim of the hack is to infect users with a ransomware variant. A number of files with nearly identical names, like Python Requests, are being used by hackers to mimic the Python Requests package on PyPI.

After being downloaded, the malware encrypts files in the background while changing the victim's desktop wallpaper to a picture controlled by the hacker, and looks like it came from the CIA.

When a Readme file created by malware is opened, a message from the attacker requesting $100, usually in a cryptocurrency, for the decryption key is displayed. 

The malware used is referred to as W4SP Stealer. It is able to access a variety of private information, including Telegram data, crypto wallets, Discord tokens, cookies, and saved passwords. 

One of the binaries is ransomware, which encrypts specific files and changes the victim's desktop wallpaper when executed. However, soon the malicious actors published numerous npm packages with identical behaviors. For the decryption key, they demand $100 in Bitcoin, XMR, Ethereum, or Litecoin.

Each of the malicious npm packages, such as discordallintsbot, discordselfbot16, discord-all-intents-bot, discors.jd, and telnservrr, contains JavaScript code that acts identical to the code embedded in the Python packages. 

Louis Lang, chief technology officer at Phylum, predicts a rise in harmful package numbers. These packages drop binaries, and the antivirus engines in VirusTotal identify these binaries as malicious. It is advised that Python and JavaScript developers adhere to the necessary cybersecurity maintenance and stay secure. 



Read more »
User Security
Discord Info Stealer NPM Package Technology User Security

Discord Users Targeted by Malicious Npm Packages

 

Kaspersky researchers have unearthed yet another supply chain attack campaign employing multiple malicious npm packages, this time targeting Discord users to steal their payment card information. 

The malware employed in these attacks is a modified version of an open-source and Python-based Volt Stealer token logger and JavaScript malware dubbed Lofy Stealer. 

“The Python malware is a modified version of an open-source token logger called Volt Stealer. It is intended to steal Discord tokens from infected machines and the victim’s IP address and upload them via HTTP,” reads the analysis published by Igor Kuznetsov and Leonid Bezvershenko. 

The malware monitors the victims' actions, such as Discord logins, attempts to change the credentials, multi-factor authentication (MFA) toggles, or the addition of new payment methods to steal Discord accounts and payment information. 

Subsequently, the harvested data is uploaded to the remote endpoint whose address is hardcoded (e.g., life.polarlabs.repl[.]co, sock.polarlabs.repl[.]co, idk.polarlabs.repl[.]co). 

“The JavaScript malware we dubbed ‘Lofy Stealer’ was created to infect Discord client files in order to monitor the victim’s actions, researchers added. It detects when a user logs in, changes email or password, enables/disables multi-factor authentication (MFA), and adds new payment methods, including complete bank card details. Collected information is also uploaded to the remote endpoint whose address is hard-coded,” the analysis further read.

Kaspersky states that they are constantly monitoring the updates to repositories to rapidly scan and remove all new malicious packages. 

According to researchers, this is a repetitive process among malicious npm packages, and it's just one of the seemingly endless streams of malware specifically designed to target Discord users in recent years with info stealers. 

For example, in 2019, malware dubbed Spidey Bot was employed to alter the Windows Discord user to backdoor it and deploy an information-stealing trojan. Last year, malicious npm and PyPI libraries were also employed to target Discord users, steal their user tokens and browser information, and deploy MBRLocker data wiping malware called Monster Ransomware. 

Earlier this year, JFrog researchers uncovered multiple malicious packages in the NPM registry particularly targeting several popular media, logistics, and industrial companies based in Germany to carry out supply chain assaults.
Read more »
Technology
cryptocurrency cryptomining JavaScript NPM Package Technology

NPM JavaScript Package Repository Targeted by Widespread Cryptomining Campaign

 

Checkmarx researchers have unearthed a new large-scale cryptocurrency mining campaign targeting the NPM JavaScript package repository. 

The hacker behind this malicious campaign, dubbed CuteBoi, published 1,283 modules in the repository and employed over 1,000 different user accounts. The researchers discovered the supply chain assault after spotting a burst of suspicious NPM users and packages designed automatically. 

“Checkmarx SCS team detected over 1200 npm packages released to the registry by over a thousand different user accounts. This was done using automation which includes the ability to pass the NPM 2FA challenge. This cluster of packages seems to be a part of an attacker experimenting at this point,” reads the post published by Israeli application security testing firm Checkmarx. 

All the rogue packages impersonated a near-identical source code from an already existing package named eazyminer that's employed to mine Monero by means of utilizing unused resources of systems such as ci/cd and web servers. One notable modification entails the URL to which the mined cryptocurrency should be sent, although installing the rogue modules will not bring about a negative effect. 

"The copied code from eazyminer includes a miner functionality intended to be triggered from within another program and not as a standalone tool," researcher Aviad Gershon explained. "The attacker didn't change this feature of the code and for that reason, it won't run upon installation." 

As observed in the case of RED-LILI earlier this year, the packages are published via an automation methodology that allows hackers to bypass two-factor authentication (2FA) protections. 

However, while the former involved setting up a custom server and using a combination of tools like Selenium and Interactsh to programmatically design an NPM user account and defeat 2FA, CuteBoi depends on a disposable email service called mail.tm to automate the creation of the users that upload the packages to the NPM repository. 

Specifically, it utilizes a REST API provided by the free platform that enables "programs to open disposable mailboxes and read the received emails sent to them with a simple API call." In this, hackers behind the CuteBoi campaign can circumvent the NPM 2FA challenge when creating a flood of user accounts to publish the packages. 

Earlier this week, security research uncovered another NPM-related large-scale software supply chain attack dubbed IconBurst designed to siphon sensitive data from forms embedded in downstream mobile applications and websites. 
Read more »
URL
Data Breach JavaScript Malicious Code NPM Package Open Source Software Supply Chain Attack URL

Attack Against NPM Software Supply Chain Unearthed

 

Iconburst's most recent attack is described as a massive and well-planned effort to spread malicious Javascript packages distributed through the open-source NPM package system.

Upon further analysis, evidence of a planned supply chain assault was found, with numerous NPM packages containing jQuery scripts created to steal data from deployed apps that use them, as per researchers.

ReversingLabs noted that the malicious packages we identified are probably used by hundreds or thousands of downstream mobile and desktop programs as well as websites, even if the full scope of this assault is still unknown. In one instance, malicious software had been downloaded more than 17,000 times.

Obfuscation used 

The firm said that its analysis of the modules had found signs of coordination, with malicious modules linked to a select group of NPM publishers and recurrent patterns in the infrastructure that supported them, such as unencrypted domains.

“The revelation of a javascript obfuscator was the first trigger for our team to examine a broad variety of NPM packages, the majority of which had been released within the previous two months and utilized the stated obfuscator. It revealed more than 20 NPM packages in total. When these NPM modules are examined in greater detail, it becomes clear that they are associated with one of a small number of NPM accounts with names like ionic-io, arpanrizki, kbrstore, and aselole,” according to ReversingLabs. 

Meanwhile, Checkmarx said, "Roughly a thousand unique user accounts released over 1200 NPM packages to the registry, which we found. Automation was used, which allowed for the successful completion of the NPM 2FA challenge. At this moment, this collection of packages appears to be a part of an attacker's testing." 

Obfuscated malware data theft 

The de-obfuscated examples underwent a thorough analysis, which showed that every one of them collects form data using jQuery Ajax methods and subsequently exploits that data to different domains controlled by malevolent writers.

To exfiltrate serialized form data to domains under the attacker's control, the malicious packages employ a modified script that extends the functionality of the jQuery ajax() function. The function verifies the URL content before transmitting the data to carry out target filtering checks. 

Attack on supply chain 

The NPM modules which ReversingLabs found have been downloaded more than 27,000 times in total. The attacks occurred for months before coming to attention because very few development firms can identify malicious software within open source libraries and modules.

"It is certain from the report of this study that software development businesses and their clients both require new tools and procedures for evaluating supply chain risks, such as those posed by these malicious NPM packages," researchers told.

"Applications and services are only as secure as their weakest component due to the decentralized and modular nature of application development. The attack's success—more than two dozen malicious modules were made available for download on a well-known package repository, and one of them received 17,000 downloads in just a few weeks—underscores the lax standards for application development and the low barriers that prevent malicious or even vulnerable code from exploiting IT environments and sensitive applications," ReversingLabs further added.
Read more »
Windows Defender
AWS Data Breach Firewall NPM Package Phishing Attacks PyPI Windows Defender

Python Libraries Hacked AWS Data and Keys  

 

Sonatype researchers have found malicious Python packages that post your AWS credentials and user characteristics to a publicly accessible endpoint rather than just exploiting sensitive data. Some malicious packages with the Sonatypes are as follows:
  • loglib-modules — seems targeted at coders who are familiar with the authentic "loglib library."
  • pyg-modules — seems aimed at coders who are familiar with the basic "pyg" library.
  • Pygrata:Unknown target, pygrata-utils contains identically noxious code to that found in "loglib-modules." 
  • hkg-sol-utils: Unknown goal 

The anti-ransomware detection technology provided by Sonatype as part of Nexus platform products, such as Nexus Firewall, found these packages. Researchers found these packages to be harmful after further analysis, thus, out of precaution, they reported this to the PyPI security team, so these packages were withdrawn. "This kind of package either has code that reads and phishes your secrets or employs a dependency that does it”, according to an analysis by   Sonatype security researchers Jorge Cardona and Carlos Fernández. 

For instance, the malicious software in the packages "loglib-modules" and "pygrata-utils" enables the programs to gather AWS credentials, network interface data, and environment variables and ship them to a remote location. IAM role details for an EC2 cloud instance are reported to be returned using the URL 'hxxp:/169.254.169[.]254/latest/meta-data/iam/security-credentials/'. 

Unsettlingly, there are hundreds of endpoints holding this data. Since TXT files were not encrypted by any security measures, anyone with access to the internet could essentially access these credentials. It's vital to know that packages like "pygrata" depend on one of the two aforementioned modules rather than containing the code themselves. It is still unknown who the malicious actors are and what propels them. 
 
Users of Nexus Firewall are shielded 

If the stolen credentials posted online on purpose or as a result of bad opsec procedures? There isn't enough information available right now to rule out the possibility that this action is suspect, even if it is valid security testing as per researchers. This finding comes after the report last week of several malicious vendors, including the npm package "flame-vali," which repeatedly tried to disable Windows Defender before releasing a trojan.

The software supply chain will be safeguarded from the start thanks to Nexus Firewall instances that immediately quarantine any suspect components found by automated malware detection systems while a subjective evaluation by a researcher is being prepared.
Read more »
Vulnerabilities and Exploits
Geerman Firms JavaScript NPM Package Security Risk Vulnerabilities and Exploits

German Firms Targeted by Malicious NPM Packages

 

JFrog researchers have uncovered multiple malicious packages in the NPM registry particularly targeting several popular media, logistics, and industrial companies based in Germany to carry out supply chain assaults. 

"Compared with most malware found in the NPM repository, this payload seems particularly dangerous: a highly-sophisticated, obfuscated piece of malware that acts as a backdoor and allows the attacker to take total control over the infected machine," researchers said in a new report. 

According to the DevOps company, the evidence discovered suggests it is either the work of a sophisticated hacker or a "very aggressive" penetration test. Four maintainers— bertelsmannnpm, boschnodemodules, stihlnodemodules, and dbschenkernpm— have been associated with all the rogue packages; most of the packages have been taken down from the repository.

The finding points out that the hackers are trying to copy legitimate firms like Bertelsmann, Bosch, Stihl, and DB Schenker. Some of the package names are distinct, which makes it likely that the adversary managed to trace the libraries hosted in the companies’ internal repositories to launch a dependency confusion attack. 

The findings are based on a report from Snyk late last month that detailed one of the malicious packages, "gxm-reference-web-auth-server," noting that the malware is targeting an unknown firm that has the same package in their private registry.

"The attacker(s) likely had information about the existence of such a package in the company's private registry," the Snyk security research team said. According to researchers at Reversing Labs, who independently examined the hacks, the rogue modules uploaded to NPM featured elevated version numbers than their private counterparts to force the modules onto target environments.

"The targeted private packages for the transportation and logistics firm had versions 0.5.69 and 4.0.48, while the malicious, public versions were identically named, but used versions 0.5.70 and 4.0.49," the cybersecurity firm explained. 

Calling the implant an "in-house development," JFrog pointed out that the malware contains two components, a dropper that sends information about the infected machine to a remote telemetry server before decrypting and executing a JavaScript backdoor. The backdoor, while lacking a persistence mechanism, is designed to receive and execute commands sent from a hard-coded command-and-control server, evaluate arbitrary JavaScript code, and upload files back to the server. 

Earlier this week, a German penetration testing company named Code White has owned up to uploading the malicious packages in question, adding it was an attempt to "mimic realistic threat actors for dedicated clients."
Read more »
Open Source Software
Malicious Codes malware NPM Package Open Source Software

Malicious Code Injected in Popular 'coa' and 'rc' Open Source Libraries

 

Coa, a popular library from npm, a manager for the JavaScript programming language, has been hijacked by hackers who published new versions equipped with password-stealing malware.

The 'coa' library, short for Command-Option-Argument, gets around 9 million downloads a week on npm, and is used by almost 5 million open-source GitHub repositories. The assault on coa will severely impact countless React pipelines around the globe, Bleeping Computer reported. 

Soon after spotting the hijack, security researchers also uncovered another popular npm component- 'rc'- also being impacted. The 'rc' library nets 14 million downloads a week on average. According to the security team of the npm, both packages were compromised simultaneously and were the result of threat actors securing access to a package developer’s account. 

Once inside, the hacker adds a post-installation script to the original codebase, which runs an obfuscated TypeScript used for downloading a Windows batch or Linux bash script depending on the OS of the machine running the software. The compromised coa versions are 2.0.3, 2.0.4, 2.1.1, 2.1.3, 3.0.1, 3.1.3, while compromised rc versions are 1.2.9, 1.3.9, 2.3.9

The last stable coa version 2.0.2 was released in December 2018, but developers around the world were left surprised when several suspicious versions 2.0.3, 2.0.4, 2.1.1, 2.1.3, and 3.1.3 began appearing on npm as of a few hours ago, breaking React packages that depend on 'coa'. 

The security team of the NPM has reportedly disabled the compromised versions of coa. “Users of affected versions (2.0.3 and above) should downgrade to 2.0.2 as soon as possible and check their systems for suspicious activity. See this issue for details as they unfold. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it,” the maintainers stated.
Read more »
Vulnerabilities and Exploits
JavaScript Node.js NPM Package Vulnerabilities and Exploits

Critical Flaws in NPM Package Patched by Node.js Developers

 

Node.js maintainers have launched a major update to the npm package "tar" (aka node-tar) that resolves five critical safety flaws, including some that possess a remote code execution threat. 

The npm package was vulnerable to arbitrary File Creation/Overwrite vulnerability due to insufficient relative path sanitization. The npm package presents itself as a module that accepts JavaScript proxy configuration files and creates a function for the user’s app to locate certain domains. 

The first three flaws tracked as CVE-2021-37712, CVE-2021-37701, and CVE-2021-37701 fall into the high-risk category while the other two flaws were categorized as being of moderate risk. 

“Path integrity controls built into the technology came unstuck when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems”, as explained in a National Vulnerability Database (NVD).

“The cache checking logic used both `\` and `/` characters as path separators, however `\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite,” it added. 

These five security flaws seriously impact those who use npm package versions prior to 5.0.0, even transitively in their Node.js application, and: 

• Explicitly use PAC files for proxy configuration or 
• Read and use the operating system proxy configuration in Node.js on systems with WPAD enabled or • Use proxy configuration (env vars, config files, remote config endpoints, command-line arguments) from an untrusted source 

“If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the file system, but _not_ from the internal directory cache, as it would not be treated as a cache hit,” researchers explained. 

Node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. The CVE-2021-37712 vulnerability violates this control, thus creating a risk from malformed tar archives similar to the CVE-2021-37701 vulnerability.
Read more »
Subscribe to: Posts (Atom)