Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 12 submissions in the queue.
posted by janrinok on Monday December 13 2021, @06:31PM   Printer-friendly
from the just-trust-everyone dept.

Malicious NPM packages are part of a malware "barrage" hitting repositories:

Researchers have found another 17 malicious packages in an open source repository, as the use of such repositories to spread malware continues to flourish.

This time, the malicious code was found in NPM, where 11 million developers trade more than 1 million packages among each other. Many of the 17 malicious packages appear to have been spread by different threat actors who used varying techniques and amounts of effort to trick developers into downloading malicious wares instead of the benign ones intended.

This latest discovery continues a trend first spotted a few years ago, in which miscreants sneak information stealers, keyloggers, or other types of malware into packages available in NPM, RubyGems, PyPi, or another repository. In many cases, the malicious package has a name that's a single letter different than a legitimate package. Often, the malicious package includes the same code and functionality as the package being impersonated and adds concealed code that carries out additional nefarious actions.

"We are witnessing a recent barrage of malicious software hosted and delivered through open-source software repositories," JFrog researchers Andrey Polkovnychenko and Shachar Menashe wrote on Wednesday. "Public repositories have become a handy instrument for malware distribution: the repository's server is a trusted resource, and communication with it does not raise the suspicion of any antivirus or firewall. In addition, the ease of installation via automation tools such as the npm client, provides a ripe attack vector."

Recently: Malware Downloaded from PyPI 41,000 Times Was Surprisingly Stealthy


Original Submission

Related Stories

Malware Downloaded from PyPI 41,000 Times Was Surprisingly Stealthy 22 comments

Malware downloaded from PyPI 41,000 times was surprisingly stealthy:

PyPI—the open source repository that both large and small organizations use to download code libraries—was hosting 11 malicious packages that were downloaded more than 41,000 times in one of the latest reported such incidents threatening the software supply chain.

JFrog, a security firm that monitors PyPI and other repositories for malware, said the packages are notable for the lengths its developers took to camouflage their malicious code from network detection. Those lengths include a novel mechanism that uses what's known as a reverse shell to proxy communications with control servers through the Fastly content distribution network. Another technique is DNS tunneling, something that JFrog said it had never seen before in malicious software uploaded to PyPI.

"Package managers are a growing and powerful vector for the unintentional installation of malicious code, and as we discovered with these 11 new PyPI packages, attackers are getting more sophisticated in their approach, Shachar Menashe, senior director of JFrog research, wrote in an email. "The advanced evasion techniques used in these malware packages, such as novel exfiltration or even DNS tunneling (the first we've seen in packages uploaded to PyPI) signal a disturbing trend that attackers are becoming stealthier in their attacks on open source software."

The researchers said that PyPI quickly removed all malicious packages once JFrog reported them.


Original Submission

Here's How Carefully Concealed Backdoor in Fake AWS Files Escaped Mainstream Notice 3 comments

https://arstechnica.com/security/2024/07/code-sneaked-into-fake-aws-downloaded-hundreds-of-times-backdoored-dev-devices/

Researchers have determined that two fake AWS packages downloaded hundreds of times from the open source NPM JavaScript repository contained carefully concealed code that backdoored developers' computers when executed.

The packages—img-aws-s3-object-multipart-copy and legacyaws-s3-object-multipart-copy—were attempts to appear as aws-s3-object-multipart-copy, a legitimate JavaScript library for copying files using Amazon's S3 cloud service. The fake files included all the code found in the legitimate library but added an additional JavaScript file named loadformat.js.

[...] "We have reported these packages for removal, however the malicious packages remained available on npm for nearly two days," researchers from Phylum, the security firm that spotted the packages, wrote. "This is worrying as it implies that most systems are unable to detect and promptly report on these packages, leaving developers vulnerable to attack for longer periods of time."

[...] In the past 17 months, threat actors backed by the North Korean government have targeted developers twice, one of those using a zero-day vulnerability.

Phylum researchers provided a deep-dive analysis of how the concealment worked
[...]
One of the most innovative methods in recent memory for concealing an open source backdoor was discovered in March, just weeks before it was to be included in a production release of the XZ Utils

[...] The person or group responsible spent years working on the backdoor. Besides the sophistication of the concealment method, the entity devoted large amounts of time to producing high-quality code for open source projects in a successful effort to build trust with other developers.

In May, Phylum disrupted a separate campaign that backdoored a package available in PyPI that also used steganography, a technique that embeds secret code into images.

"In the last few years, we've seen a dramatic rise in the sophistication and volume of malicious packages published to open source ecosystems," Phylum researchers wrote. "Make no mistake, these attacks are successful. It is absolutely imperative that developers and security organizations alike are keenly aware of this fact and are deeply vigilant with regard to open source libraries they consume."

Related stories on SoylentNews:
Trojanized jQuery Packages Found on Npm, GitHub, and jsDelivr Code Repositories - 20240713
48 Malicious Npm Packages Found Deploying Reverse Shells on Developer Systems - 20231104
Open-Source Security: It's Too Easy to Upload 'Devastating' Malicious Packages, Warns Google - 20220504
Dev Corrupts NPM Libs 'Colors' and 'Faker' Breaking Thousands of Apps - 20220111
Malicious NPM Packages are Part of a Malware "Barrage" Hitting Repositories - 20211213
Heavily Used Node.js Package Has a Code Injection Vulnerability - 20210227
Discord-Stealing Malware Invades NPM Packages - 20210124
Here's how NPM Plans to Improve Security and Reliability in 2019 - 20181217
NPM Fails Worldwide With "ERR! 418 I'm a Teapot" Error - 20180530
Backdoored Python Library Caught Stealing SSH Credentials - 20180511


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2) by drussell on Monday December 13 2021, @07:17PM (12 children)

    by drussell (2678) on Monday December 13 2021, @07:17PM (#1204711) Journal

    WTF is NPM?

    • (Score: 4, Informative) by janrinok on Monday December 13 2021, @07:18PM

      by janrinok (52) Subscriber Badge on Monday December 13 2021, @07:18PM (#1204712) Journal
      --
      I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.
    • (Score: 2, Informative) by Anonymous Coward on Monday December 13 2021, @07:28PM (3 children)

      by Anonymous Coward on Monday December 13 2021, @07:28PM (#1204715)

      A Microsoft product.

      • (Score: 2) by Runaway1956 on Monday December 13 2021, @09:12PM (1 child)

        by Runaway1956 (2926) Subscriber Badge on Monday December 13 2021, @09:12PM (#1204738) Journal

        That's only half the story. It's javascript. Javascript by Microsoft.

        --
        “I have become friends with many school shooters” - Tampon Tim Walz
        • (Score: 2) by Reziac on Tuesday December 14 2021, @02:27AM

          by Reziac (2489) on Tuesday December 14 2021, @02:27AM (#1204843) Homepage

          Wiki sayeth...

          The registry does not have any vetting process for submission, which means that packages found there can potentially be low quality, insecure, or malicious.[19] Instead, npm relies on user reports to take down packages if they violate policies by being low quality, insecure, or malicious.[21]

          --
          And there is no Alkibiades to come back and save us from ourselves.
      • (Score: 0) by Anonymous Coward on Tuesday December 14 2021, @01:40PM

        by Anonymous Coward on Tuesday December 14 2021, @01:40PM (#1204953)

        To be pedantic, it was an independent product that Microsoft acquired. Why write your own garbage software when you can just wait for someone else to write it, then buy it?

    • (Score: 2, Informative) by Anonymous Coward on Monday December 13 2021, @08:35PM

      by Anonymous Coward on Monday December 13 2021, @08:35PM (#1204729)

      A highly-buzzword malware vector.

    • (Score: 1, Funny) by Anonymous Coward on Monday December 13 2021, @08:38PM (2 children)

      by Anonymous Coward on Monday December 13 2021, @08:38PM (#1204731)

      A millennial programmer's wet dream.

      • (Score: 1, Insightful) by Anonymous Coward on Tuesday December 14 2021, @12:53AM

        by Anonymous Coward on Tuesday December 14 2021, @12:53AM (#1204815)

        As a millenial programmer I am here to say I hate NPM.

        Even assuming it wasn't a malware delivery nightmare the versioning issues that are supposed to be made easy are frequently a giant pain in the ass. If you aren't constantly maintaining your project you'll find that package updates can break your project, force you to find alternatives, or WORST OF ALL dependencies get removed and you spend way more time trying to figure out replacements.

      • (Score: 0) by Anonymous Coward on Tuesday December 14 2021, @03:22AM

        by Anonymous Coward on Tuesday December 14 2021, @03:22AM (#1204856)

        They seem to be every programmer's wet dream since the idea of software repositories is older than millennials.

    • (Score: 2) by Freeman on Monday December 13 2021, @08:59PM (1 child)

      by Freeman (732) on Monday December 13 2021, @08:59PM (#1204735) Journal

      The reason DannyB is the way he is, considering his association with the Java language.

      --
      Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
      • (Score: 1, Funny) by Anonymous Coward on Tuesday December 14 2021, @03:43AM

        by Anonymous Coward on Tuesday December 14 2021, @03:43AM (#1204860)

        Even though DannyB is a Maven at Java, that doesn't change that Java != JavaScript and that JavaScript !== Java.

    • (Score: 2) by isostatic on Tuesday December 14 2021, @03:14PM

      by isostatic (365) on Tuesday December 14 2021, @03:14PM (#1204976) Journal

      It stands for New Propagation of Malware

  • (Score: 2) by Mykl on Monday December 13 2021, @08:21PM (2 children)

    by Mykl (1112) on Monday December 13 2021, @08:21PM (#1204726)

    Frankly, I'm amazed that it took this long for threat actors to come up with this approach. The Open Source movement, by definition, has struggled with 'credentialing' developers and packages (it's hard enough even in a walled garden), meaning it's fallen upon the rest of the community to spot the few bad actors in their midst.

    We're all one typo away from being pwned.

    • (Score: 4, Interesting) by Thexalon on Monday December 13 2021, @08:41PM (1 child)

      by Thexalon (636) on Monday December 13 2021, @08:41PM (#1204732)

      "I'm not paying you to sit there reading other people's code!" - Every developer's manager, everywhere, in every organization.

      That's why actually reading through library code to check it for maliciousness doesn't happen, which makes it really really easy to sneak malicious stuff into a library. Oh, and even if your developer organization bans including random libraries from the Internet, it will happen, because some dev will want to save time and avoid re-inventing the wheel and will instead pull stuff in from a library, even if they're not supposed to.

      While it's true that many eyeballs make bugs shallower, a lot of stuff really doesn't get the number of eyeballs it should based on the importance it has in a system.

      --
      Vote for Pedro
      • (Score: 3, Interesting) by FatPhil on Tuesday December 14 2021, @12:13AM

        by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Tuesday December 14 2021, @12:13AM (#1204802) Homepage
        I consider myself very lucky to have worked in a job where my role evolved gradually into just that. I was brought in as a coder, but ended up the kernel maintainer, and almost none of my time was devoted to dev work any more. Productivity (getting bug-free code shipped) was never higher, as we almost never shipped any bugs. (There was a strong culture of code review generally, it wasn't just me.) 99% of bug reports were redireted to userspace teams, we were practically bulletproof. Of course, shitty hardware being shitty hardware, we did have plenty of those bugs to work around...
        --
        Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
  • (Score: 3, Interesting) by VLM on Monday December 13 2021, @09:24PM

    by VLM (445) on Monday December 13 2021, @09:24PM (#1204742)

    I have to say 17 is a pretty small "barrage"

    My personal experience with uploading npm packages is they whitelist and you need to open a trouble ticket and ask pretty please every time you upload a new package.

    The namespace is crowded and I've seen some pretty weird names. I would guess in the long run instead of names you'll specify some kind of path-of-trust. No matter how elaborate you make the signing mechanism and processing, Debian is a kind of extreme example, you'll still have people randomly installing any old stuff they see online. "Oh look a npm that claims to install comet cursor, I needs me that" and then they get powned.

  • (Score: 2) by bradley13 on Monday December 13 2021, @10:03PM (8 children)

    by bradley13 (3053) on Monday December 13 2021, @10:03PM (#1204761) Homepage Journal

    Include random libraries, rather than writing your own code. If course, those libraries load other libraries, which in turn load more libraries. So your little web page winds up downloading 5MB of crap, in order to parse an email address...

    --
    Everyone is somebody else's weirdo.
    • (Score: 2) by vux984 on Monday December 13 2021, @11:15PM (2 children)

      by vux984 (5045) on Monday December 13 2021, @11:15PM (#1204791)

      On the other hand a popular library probably does it right. I've been on WAY too many websites that rejected a perfectly valid email address because it was written by someone who thought they were smart enough but wasn't.

      And I'm not even talking about those fun obscure cases. I'm talking pretty basic stuff like rejecting an underscore or hyphen in the name, or rejecting valid TLDs like .edu, or even rejecting addresses with more than 2 subdomains (e.g. rejecting example@sub.domain.co.uk), or rejecting a domain name that is numerical, like someone@777.com

      • (Score: 2) by Reziac on Tuesday December 14 2021, @02:34AM

        by Reziac (2489) on Tuesday December 14 2021, @02:34AM (#1204847) Homepage

        I have an earthlink.net addy I've had since forever. It STILL gets rejected by the odd stupid form, even tho at one time it was the second most common email domain and you'd think after 27 years they'd have figured it out, but apparently not.

        --
        And there is no Alkibiades to come back and save us from ourselves.
      • (Score: 0) by Anonymous Coward on Tuesday December 14 2021, @01:49PM

        by Anonymous Coward on Tuesday December 14 2021, @01:49PM (#1204956)

        The hard task is finding third party libraries with stable APIs and zero transitive dependencies. Those are about as common as unicorns.

    • (Score: 1, Informative) by Anonymous Coward on Tuesday December 14 2021, @04:55AM (4 children)

      by Anonymous Coward on Tuesday December 14 2021, @04:55AM (#1204879)

      Fools. Everybody knows that a regex is the best way to parse email addresses.

      • (Score: 0) by Anonymous Coward on Tuesday December 14 2021, @08:26AM (1 child)

        by Anonymous Coward on Tuesday December 14 2021, @08:26AM (#1204911)
        (?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])
        • (Score: 1, Touché) by Anonymous Coward on Tuesday December 14 2021, @09:48AM

          by Anonymous Coward on Tuesday December 14 2021, @09:48AM (#1204915)

          If you are going to steal a regex from stack overflow, you might as well copy one that actually follows the specification.

      • (Score: 0) by Anonymous Coward on Tuesday December 14 2021, @01:51PM (1 child)

        by Anonymous Coward on Tuesday December 14 2021, @01:51PM (#1204957)

        You can write sane complex regexes if you use named capture groups. Damian Conway has some videos on it.

        • (Score: 1, Interesting) by Anonymous Coward on Tuesday December 14 2021, @11:20PM

          by Anonymous Coward on Tuesday December 14 2021, @11:20PM (#1205143)

          In addition to named groups, I like to build complex regular expressions explicitly from simpler ones using string formatting out of its component parts. To use an example leaving out the named groups, start with

          address = rf"{local-part}@{domain}"

          Now you see that requires a local-part and a domain. So you add those

          local-part = rf"(?:{dot-atom})|(?:{quoted-string})|(?:{obs-local-part})"
          domain = rf"(?:{dot-atom})|(?:{domain-literal})|?:({obs-domain})"
          address = rf"(?:{local-part})@(?:{domain})"

          And you keep going until you build your regular expression. The nice thing about it is that it can make it much easier to go back and see what is going on. Another benefit is that modern "regex" engines support context-sensitive grammars which can be harder to reason about with named groups alone. Finally, you can use language features that can be clearer with long lists of disjuncts, highly-nested definitions, or more performant by building prefix trees and other harder to grasp structures as you go.

(1)