Developers beware: Malware has been found in a dozen popular NPM packages – here’s what you need to know
More than a dozen NPM packages, with a combined million weekly downloads, have been compromised to deliver malware.
Node Package Manager (NPM) is the widely-used default package manager for the JavaScript runtime environment, Node.js, and is used to install libraries, share packages, manage dependencies, run scripts, and more.
A newly-discovered Remote Access Trojan (RAT) enables an attacker to execute shell commands, capture screenshots, and upload files to infected machines.
They could then carry out various follow-on actions, such as mining cryptocurrency, stealing sensitive information, and even shutting down services.
According to an analysis by Aikido Security, the culprits are likely to be the same threat actors it spotted last month compromising the popular package rand-user-agent.
“The payload that the attackers are delivering is practically the same as documented in the rand-user-agent case, but there are some differences,” researchers said.
There’s a new C2 server, and two new commands, one dumping system context and metadata, and the other making an external request to http://ip-api.com/json and returning public IP information.
“Given the magnitude of the attack, we wanted to raise awareness about it as quickly as possible, so that people can protect themselves. These attackers have consistently demonstrated the ability to compromise packages, deploying their remote access trojans (RATs),” researchers warned.
Aikido has compiled a list of affected packages, which developers are urged to check.
NPM threats highlight growing supply chain risks
Mike McGuire, senior manager at Black Duck, said the Akamai discovery highlights growing supply chain security risks faced by developers and enterprises alike.
“This supply chain attack represents another stark representation of how attackers are no longer waiting around to discover accidental vulnerabilities in open source libraries,” he said.
“Instead, they’re taking advantage of the inherent trust that we have in the open source community by injecting malware into popular, trustworthy libraries.”
Those who suspect they may have installed any of the affected packages should check their firewall for any outbound connections to these IPs, according to Aikido:
- 136.0.9[.]8
- 85.239.62[.]36
Notably, researchers warned the RAT will try to persist on the system through a file in the path: %LOCALAPPDATA%\Programs\Python\Python3127 if on Windows.
“If you find any files in this location, you have been compromised and should no longer trust the system to be safe, as the attackers may have deployed more payloads afterwards,” the researchers said.
Keep close tabs on open source dependencies
Black Duck advised organizations to maintain a complete and accurate list of open source dependencies used in projects. This, the company said, will make it easier and faster to identify the impact when attacks and vulnerabilities are published.
Similarly, enterprises are advised to use lock files to pin exact package versions, reducing unexpected updates, and validate the provenance of packages by evaluating the package sources and maintainers.
It’s also a good idea to check whether the package has been updated suddenly, if maintainers have been recently changed, or whether suspicious post-install scripts have been introduced.
They should also automate securing scanning within the CI/CD pipeline to analyze dependencies for known security risks, and scan source code to identify potentially insecure or malicious behaviour and patterns.
In the meantime, McGuire said development teams should check if their projects depend on any of the compromised versions.
If this is the case, they should “immediately upgrade or downgrade to a safe version that was released prior to June 6th to ensure uncompromised trust in software”.
MORE FROM ITPRO
Source link
