Cybersecurity experts recently found a new set of malicious packages in the npm package registry designed to steal sensitive developer data. Software supply chain firm Phylum initially discovered these packages on July 31, 2023, and they were quickly removed and re-uploaded with different names to sound legitimate.
Source: npm package listed in the package.json file
What might be the motive?
The motive behind the attack is not entirely clear, but it seems to target the cryptocurrency sector, with references to modules like “rocketrefer” and “binarium.” All packages were published by the npm user “malikrukd4732,” and they all have JavaScript (“index.js”) code that can extract valuable information to a remote server.
What’s the process?
During the process, the code
- collects operating system details
- sends them to a remote server
- searches for specific file extensions like .env, .gitlab, .js, .py, and more, potentially containing valuable intellectual property or credentials
- Transmits data to the server in the form of a ZIP archive file.
This incident is not isolated, as open-source repositories have been targeted before.
https://twitter.com/attackify/status/1653665232563376130?s=20
Previous open-source repositories target
Another campaign was discovered using suspicious Python packages on PyPI, and attackers created corresponding repositories on GitHub to appear trustworthy to developers.
Source: The private-pypi server serves as an abstraction layer between Python package management tools (pip/poetry/twine) and the storage backends
In early July 2023, 13 rogue npm modules were also exposed in an operation known as “Operation Brainleeches,” where some packages facilitated credential harvesting through phishing attacks. The npm modules were used as supporting infrastructure for hosting files in email phishing and supply chain attacks against developers. According to ReversingLabs:
“The malicious npm packages were discovered in two tranches: One supported phishing attacks that harvested user data with phony Microsoft.com login forms launched from malicious email attachments. The other was intended to implant credential harvesting scripts in applications that inadvertently incorporate the npm packages.”
Source: Flow of the activity when the malicious attachment is opened in the web browser
It’s worth noting that even legitimate services like the jsDelivr CDN can be exploited for malicious purposes, demonstrating the importance of vigilance and security in open-source repositories.
Source: Target Open-Source repositories
Summing up
What does this mean? Well, with previous and current events, it is clear that open source repositories are the main targets. It is essential to assess the security, have third party packages audited, and work on various behavior indicators. These indicators from various platforms detect malicious codes being deployed, hence combat against more significant risks.