Geeks for your information Security Security Vendors Kaspersky Kaspersky Security Blog v
npm registry attacked by secret-stealing worm
npm registry attacked by secret-stealing worm
harlan4096 Offline
MalWare Zoo Team
*******
Posts: 15,115
Threads: 9,821
Thanks Received: 9,144 in 7,296 posts
Thanks Given: 9,999
Joined: 12 September 18
#1
Bug  16 September 25, 16:54
Quote:A new large-scale attack on a popular JavaScript code registry has hit around 150 packages. The automatic propagation of the threat makes it especially dangerous — developers need to react ASAP.

On the evening of September 15, a new attack against the most popular JavaScript component npm began.  A number of packages some with millions of weekly downloads were infected with malicious code that steals tokens and authentication keys. Its most interesting feature is that it is able to spread automatically infecting other nmp packages. Among the infected packages is the popular @ctrl/tinycolor. According to Aikido Security, almost 150 packages have been compromised including Crowdstrike packages.

Propagation methodology

The method of the first infection and “patient zero” are currently unknown. Since the attack pattern is very similar to the recent s1ngularity incident, it may have been phishing as well. But the further chain of infection is as follows:
  • Malicious code is added to compromised packages in the form of a post-installation script saved in the bundle.js file. When the victim installs the infected package, the script runs. Unlike the previous incident, the script is cross-platform and works in both *nix and Windows environments.
  • The script downloads a platform-appropriate version of TruffleHog, a legitimate secret-finding tool. TruffleHog finds high-entropy strings in local file systems and available repositories. These are cryptographic keys, API tokens, and other such information.
  • In addition to searching through TruffleHog, the script validates useful tokens by analyzing environment variables such as GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY. It then checks if they are valid by querying the npm whoami and GitHub user API-endpoints.
  • The script then compromises npm packages to which the attacked user has access with publishing rights. To do this, it downloads the current version of the infected package from npm, increments the subversion by 1, adds a link to the postinstall hook, and writes its copy to the bundle.js file. Then the trojanized “new version” of the package is published to npm.
  • Then it marks the victim’s repositories as public ones, which is sometimes a separate, more important leak.
Continue Reading...
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
K-Lite Codec Pack 19.2.0 / 19.2.2 Update
Changes in 19.2.2 ...harlan4096 — 08:31
Malwarebytes v5.4.0.213
Malwarebytes v5.4....Mohammad.Poorya — 12:12
Mozilla Firefox Browser 143.0.1
Mozilla Firefox Br...harlan4096 — 16:09
Vivaldi 7.6 Build 3797.52
Vivaldi 7.6 Build ...harlan4096 — 16:07
PowerToys 0.94.1
Release v0.94.1 ...harlan4096 — 16:06

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
avatar (38)fapedDow
avatar (48)pohudidere
avatar (38)eqiduseb
avatar (40)maskbSleew

[-]
Online Staff
mjcn19's profile mjcn19

>