48 Malicious npm Packages Found Deploying Reverse Shells on Developer Systems:
A new set of 48 malicious npm packages have been discovered in the npm repository with capabilities to deploy a reverse shell on compromised systems.
"These packages, deceptively named to appear legitimate, contained obfuscated JavaScript designed to initiate a reverse shell on package install," software supply chain security firm Phylum said.
[...] "In this particular case, the attacker published dozens of benign-sounding packages with several layers of obfuscation and deceptive tactics in an attempt to ultimately deploy a reverse shell on any machine that simply installs one of these packages," Phylum said.
The findings arrive close on the heels of revelations that two packages published to the Python Package Index (PyPI) under the garb of simplifying internationalization incorporated malicious code designed to siphon sensitive Telegram Desktop application data and system information.
Related Stories
Researchers have determined that two fake AWS packages downloaded hundreds of times from the open source NPM JavaScript repository contained carefully concealed code that backdoored developers' computers when executed.
The packages—img-aws-s3-object-multipart-copy and legacyaws-s3-object-multipart-copy—were attempts to appear as aws-s3-object-multipart-copy, a legitimate JavaScript library for copying files using Amazon's S3 cloud service. The fake files included all the code found in the legitimate library but added an additional JavaScript file named loadformat.js.
[...] "We have reported these packages for removal, however the malicious packages remained available on npm for nearly two days," researchers from Phylum, the security firm that spotted the packages, wrote. "This is worrying as it implies that most systems are unable to detect and promptly report on these packages, leaving developers vulnerable to attack for longer periods of time."
[...] In the past 17 months, threat actors backed by the North Korean government have targeted developers twice, one of those using a zero-day vulnerability.
Phylum researchers provided a deep-dive analysis of how the concealment worked
[...]
One of the most innovative methods in recent memory for concealing an open source backdoor was discovered in March, just weeks before it was to be included in a production release of the XZ Utils[...] The person or group responsible spent years working on the backdoor. Besides the sophistication of the concealment method, the entity devoted large amounts of time to producing high-quality code for open source projects in a successful effort to build trust with other developers.
In May, Phylum disrupted a separate campaign that backdoored a package available in PyPI that also used steganography, a technique that embeds secret code into images.
"In the last few years, we've seen a dramatic rise in the sophistication and volume of malicious packages published to open source ecosystems," Phylum researchers wrote. "Make no mistake, these attacks are successful. It is absolutely imperative that developers and security organizations alike are keenly aware of this fact and are deeply vigilant with regard to open source libraries they consume."
Related stories on SoylentNews:
Trojanized jQuery Packages Found on Npm, GitHub, and jsDelivr Code Repositories - 20240713
48 Malicious Npm Packages Found Deploying Reverse Shells on Developer Systems - 20231104
Open-Source Security: It's Too Easy to Upload 'Devastating' Malicious Packages, Warns Google - 20220504
Dev Corrupts NPM Libs 'Colors' and 'Faker' Breaking Thousands of Apps - 20220111
Malicious NPM Packages are Part of a Malware "Barrage" Hitting Repositories - 20211213
Heavily Used Node.js Package Has a Code Injection Vulnerability - 20210227
Discord-Stealing Malware Invades NPM Packages - 20210124
Here's how NPM Plans to Improve Security and Reliability in 2019 - 20181217
NPM Fails Worldwide With "ERR! 418 I'm a Teapot" Error - 20180530
Backdoored Python Library Caught Stealing SSH Credentials - 20180511
(Score: 5, Insightful) by BsAtHome on Saturday November 04 2023, @01:52PM (6 children)
To start with: npm is a cesspit of packages and the javascript (development) environment is hopeless, has a poor basis and is a dependency nightmare.
With that said, the article author goes on to blame open source for the shortcomings and supply-chain attacks. That is calling the hammer guilty of murder. Not a statement to be taken seriously at any level. For those proprietary code pushers, well, these are even less trustworthy because they wont allow you to actually vet the packages.
Yes, the supply-chain problem is a real problem. Modern development is often and much built on what was adequately described by Randall Munroe [xkcd.com] quite some time ago. If takers are only taking, then we'll always have a dependency nightmare and an open door to supply-chain attacks.
Anarchy only invites anarchists. We need to be organized and cooperative. And we need to because a) to make many eyes see the problems and b) to fix things in the best way possible.
(Score: 4, Insightful) by mcgrew on Saturday November 04 2023, @03:58PM (2 children)
javascript (development) environment? I always just used a text editor. Kind of hard to insert bad shit into your code if your do it from scratch. Hand-coded and assembled assembly FTW!
Impeach Donald Saruman and his sidekick Elon Sauron
(Score: 3, Funny) by sgleysti on Saturday November 04 2023, @05:53PM (1 child)
Can I get an Amen?
Unless that's what you want to do ;)
Praise be.
(Score: 3, Funny) by mrpg on Saturday November 04 2023, @11:52PM
Ramen!
(Score: 3, Interesting) by krishnoid on Saturday November 04 2023, @05:12PM
I like to think of it more as a delicate ecosystem [youtu.be]. It can be both, though.
In particular, dependency management in massively-multicontributor online code repositories is probably the most complicated problem they have to deal with. I consider debian the best example of the amount of care and detail that has to go in to producing a properly interoperating system.
(Score: 5, Insightful) by sjames on Saturday November 04 2023, @06:05PM (1 child)
A big part of the problem is the prevalence of cargo cult programming in Javascript. A lot of people using Javascript are not programmers, they are web designers copy/pasting some javascript to make everything work.
They're not really in the wrong there, another piece of the puzzle is that javascript was never intended to be used as a full-on programming language with thousands of lines of code. It was intended to be a few simple function calls mostly triggered by events within the DOM (on*= methods in tags) with the functions being 5 or ten lines in the page header. Had it stayed that way, things would have been fine.
The current trend of massive kitchen sink frameworks within frameworks including many multiple K of javascript reminds me of hacks like implementing games in the Sendmail configuration language. It can be done, but other than as a one-off hack for fun, it probably shouldn't. And when it is, not on a production server.
(Score: 0) by Anonymous Coward on Sunday November 05 2023, @12:21PM
Aaaaah don't remind me of sendmail.cf!! Nooo! It burnses!
(Score: 2, Troll) by DadaDoofy on Saturday November 04 2023, @02:10PM (2 children)
Everyone knows Windows is the target bad actors focus on. All the cool kids use Linux, because it is immune to that sort thing. Oh wait...
(Score: 3, Insightful) by Tork on Saturday November 04 2023, @03:18PM (1 child)
🏳️🌈 Proud Ally 🏳️🌈
(Score: 2) by requerdanos on Sunday November 05 2023, @07:35AM
On the other hand, according to tfa, "These packages show a dedicated and elaborate effort to avoid detection via static analysis and visual inspection by employing a variety of obfuscation techniques," yet they were still found by some of those million eyes.
(Score: 4, Insightful) by Runaway1956 on Saturday November 04 2023, @04:03PM (1 child)
I'm reluctant to use any of the "modern" package management systems. We had an article not long ago about some corrupt Py applications, and now NPM. I can see all manner of potential exploits for containers. I've played with downloaded virtual machines, and 3rd party OS installers in the past, ever mindful that a "community release" might harbor hidden exploits. Who remembers Red Flag Linux, from China? Yeah, it was loaded with Chinese government crap that I didn't want or need.
I tend to stick with a more official distro, and rely on the built-in package managers. I'll take chances from time to time with a third party package, but I don't even do that often. I really like Supermicro's system monitoring tool, but, there don't seem to be a lot of independent reviewers endorsing it.
It only takes one malware package to compromise your system.
“I have become friends with many school shooters” - Tampon Tim Walz
(Score: 3, Informative) by coolgopher on Sunday November 05 2023, @12:28PM
Supermicro doesn't have a great record for security. Some quick examples:
https://arstechnica.com/security/2023/10/vulnerabilities-in-supermicro-bmcs-could-allow-for-unkillable-server-rootkits/ [arstechnica.com]
https://www.thomas-krenn.com/en/wiki/USBAnywhere_Supermicro_IPMI_Virtual_Media_Vulnerability [thomas-krenn.com]
https://www.forbes.com/sites/jeanbaptiste/2019/09/04/super-micro-new-critical-security-flaw-lets-hackers-take-over-corporate-servers-exfiltrate-data/ [forbes.com]
https://www.rapid7.com/blog/post/2013/11/06/supermicro-ipmi-firmware-vulnerabilities/ [rapid7.com]
https://threatpost.com/plaintext-supermicro-ipmi-credentials-exposed/106784/ [threatpost.com]