Researchers have determined that two fake AWS packages downloaded hundreds of times from the open source NPM JavaScript repository contained carefully concealed code that backdoored developers' computers when executed.
The packages—img-aws-s3-object-multipart-copy and legacyaws-s3-object-multipart-copy—were attempts to appear as aws-s3-object-multipart-copy, a legitimate JavaScript library for copying files using Amazon's S3 cloud service. The fake files included all the code found in the legitimate library but added an additional JavaScript file named loadformat.js.
[...] "We have reported these packages for removal, however the malicious packages remained available on npm for nearly two days," researchers from Phylum, the security firm that spotted the packages, wrote. "This is worrying as it implies that most systems are unable to detect and promptly report on these packages, leaving developers vulnerable to attack for longer periods of time."
[...] In the past 17 months, threat actors backed by the North Korean government have targeted developers twice, one of those using a zero-day vulnerability.
Phylum researchers provided a deep-dive analysis of how the concealment worked
[...]
One of the most innovative methods in recent memory for concealing an open source backdoor was discovered in March, just weeks before it was to be included in a production release of the XZ Utils
[...] The person or group responsible spent years working on the backdoor. Besides the sophistication of the concealment method, the entity devoted large amounts of time to producing high-quality code for open source projects in a successful effort to build trust with other developers.
In May, Phylum disrupted a separate campaign that backdoored a package available in PyPI that also used steganography, a technique that embeds secret code into images.
"In the last few years, we've seen a dramatic rise in the sophistication and volume of malicious packages published to open source ecosystems," Phylum researchers wrote. "Make no mistake, these attacks are successful. It is absolutely imperative that developers and security organizations alike are keenly aware of this fact and are deeply vigilant with regard to open source libraries they consume."
Related Stories
Submitted via IRC for TheMightyBuzzard
Barely a week has passed from the last attempt to hide a backdoor in a code library, and we have a new case today. This time around, the backdoor was found in a Python module, and not an npm (JavaScript) package.
The module's name is SSH Decorator (ssh-decorate), developed by Israeli developer Uri Goren, a library for handling SSH connections from Python code.
Source: https://www.bleepingcomputer.com/news/security/backdoored-python-library-caught-stealing-ssh-credentials/
Submitted via IRC for SoyCow3941
Users of the NPMJavaScript package manager were greeted by a weird error yesterday evening, as their consoles and applications spewed a message of "ERR! 418 I'm a teapot" whenever they tried to update or install a new JavaScript/Node.js package.
Source: https://www.bleepingcomputer.com/news/technology/npm-fails-worldwide-with-err-418-im-a-teapot-error/
NPM[*], to put it lightly, had a challenging year. A series of high-profile incidents resulted in headaches for system administrators, as a combination of third parties abusing the NPM platform as well as bad deployments from the NPM team themselves causing adverse effects.
In an interview with TechRepublic, NPM director of security Adam Baldwin indicated that NPM, Inc. is working on solutions to improve security. "Users of Javascript in the enterprise share responsibility with NPM. We have a dedicated security team and are building products in 2019 to focus on these efforts," Baldwin said. The product hinted at is tooling being built into NPM, "starting with Enterprise, to help understand what is being run on systems." These changes are tentatively planned to be unveiled in the first half of 2019.
These plans include identifying known vulnerabilities and advanced reporting and visualization of dependency trees, in order to gain a better understanding of what is being used in deployment. In an earlier email with TechRepublic, NPM's Jonathan Cowperthwait noted that the team could improve security by "surfacing information about maintainer transfers," and "driving use of two-factor authentication."
https://www.techrepublic.com/article/heres-how-npm-plans-to-improve-security-and-reliability-in-2019/
[*] https://en.wikipedia.org/wiki/Npm_(software):
npm is a package manager for the JavaScript programming language. It is the default package manager for the JavaScript runtime environment Node.js. It consists of a command line client, also called npm, and an online database of public and paid-for private packages, called the npm registry. The registry is accessed via the client, and the available packages can be browsed and searched via the npm website. The package manager and the registry are managed by npm, Inc.
Discord-Stealing Malware Invades npm Packages":
The CursedGrabber malware has infiltrated the open-source software code repository.
Three malicious software packages have been published to npm, a code repository for JavaScript developers to share and reuse code blocks. The packages represent a supply-chain threat given that they may be used as building blocks in various web applications; any applications corrupted by the code can steal tokens and other information from Discord users, researchers said.
Discord is designed for creating communities on the web, called “servers,” either as standalone forums or as part of another website. Users communicate with voice calls, video calls, text messaging, media and files. Discord “bots” are central to its function; these are AIs that can be programmed to moderate discussion forums, welcome and guide new members, police rule-breakers and perform community outreach. They’re also used to add features to the server, such as music, games, polls, prizes and more.
Discord tokens are used inside bot code to send commands back and forth to the Discord API, which in turn controls bot actions. If a Discord token is stolen, it would allow an attacker to hack the server.
As of Friday, the packages (named an0n-chat-lib, discord-fix and sonatype, all published by “scp173-deleted”) were still available for download. They make use of brandjacking and typosquatting to lure developers into thinking they’re legitimate. There is also “clear evidence that the malware campaign was using a Discord bot to generate fake download counts for the packages to make them appear more popular to potential users,” according to researchers at Sonatype.
See also: CursedGrabber strikes again: Sonatype spots new malware campaign against Software Supply Chains.
Heavily used Node.js package has a code injection vulnerability:
A heavily downloaded Node.js library has a high severity command injection vulnerability revealed this month.
Tracked as CVE-2021-21315, the bug impacts the "systeminformation" npm component which gets about 800,000 weekly downloads and has scored close to 34 million downloads to date since its inception.
Put simply, "systeminformation" is a lightweight Node.js library that developers can include in their project to retrieve system information related to CPU, hardware, battery, network, services, and system processes.
[...] "This library is still work in progress. It is supposed to be used as a backend/server-side library (will definitely not work within a browser)," states the developer behind the component.
However, the presence of the code injection flaw within "systeminformation" meant an attacker could execute system commands by carefully injecting payload within the unsanitized parameters used by the component.
[...] Users of "systeminformation" should upgrade to versions 5.3.1 and above to resolve the CVE-2021-21315 vulnerability in their application.
Malicious NPM packages are part of a malware "barrage" hitting repositories:
Researchers have found another 17 malicious packages in an open source repository, as the use of such repositories to spread malware continues to flourish.
This time, the malicious code was found in NPM, where 11 million developers trade more than 1 million packages among each other. Many of the 17 malicious packages appear to have been spread by different threat actors who used varying techniques and amounts of effort to trick developers into downloading malicious wares instead of the benign ones intended.
This latest discovery continues a trend first spotted a few years ago, in which miscreants sneak information stealers, keyloggers, or other types of malware into packages available in NPM, RubyGems, PyPi, or another repository. In many cases, the malicious package has a name that's a single letter different than a legitimate package. Often, the malicious package includes the same code and functionality as the package being impersonated and adds concealed code that carries out additional nefarious actions.
"We are witnessing a recent barrage of malicious software hosted and delivered through open-source software repositories," JFrog researchers Andrey Polkovnychenko and Shachar Menashe wrote on Wednesday. "Public repositories have become a handy instrument for malware distribution: the repository's server is a trusted resource, and communication with it does not raise the suspicion of any antivirus or firewall. In addition, the ease of installation via automation tools such as the npm client, provides a ripe attack vector."
Recently: Malware Downloaded from PyPI 41,000 Times Was Surprisingly Stealthy
From Bleeping Computer
Users of popular open-source libraries 'colors' and 'faker' were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking.
Some surmised if the NPM libraries had been compromised, but it turns out there's much more to the story.
The developer of these libraries intentionally introduced an infinite loop that bricked thousands of projects that depend on 'colors and 'faker'.
The colors library receives over 20 million weekly downloads on npm alone, and has almost 19,000 projects depending on it. Whereas, faker receives over 2.8 million weekly downloads on npm, and has over 2,500 dependents.
But the target of this action wasn't the end user - but the big corporations...
[...] The reason behind this mischief on the developer's part appears to be retaliation—against mega-corporations and commercial consumers of open-source projects who extensively rely on cost-free and community-powered software but do not, according to the developer, give back to the community.
In November 2020, Marak had warned that he will no longer be supporting the big corporations with his "free work" and that commercial entities should consider either forking the projects or compensating the dev with a yearly "six figure" salary.
"Respectfully, I am no longer going to support Fortune 500s ( and other smaller sized companies ) with my free work. There isn't much else to say," the developer previously wrote.
Open-source security: It's too easy to upload 'devastating' malicious packages, warns Google:
Google has detailed some of the work done to find malicious code packages that have been sneaked into bigger open-source software projects.
The Package Analysis Project is one of the software supply chain initiatives from the the Linux Foundation's Open Source Security Foundation (OpenSSF) that should help automate the process of identifying malicious packages distributed on popular package repositories, such as npm for JavaScript and PyPl for Python. It runs a dynamic analysis of all packages uploaded to popular open-source repositories. It aims to provide data about common types of malicious packages and inform those working on open-source software supply chain security about how best to improve it.
[...] "Despite open-source software's essential role in all software built today, it's far too easy for bad actors to circulate malicious packages that attack the systems and users running that software."
[...] Attackers distribute malicious packages on npm and PyPl often enough that it's something OpenSSF, which Google is a member of, decided it needed to be addressed.
48 Malicious npm Packages Found Deploying Reverse Shells on Developer Systems:
A new set of 48 malicious npm packages have been discovered in the npm repository with capabilities to deploy a reverse shell on compromised systems.
"These packages, deceptively named to appear legitimate, contained obfuscated JavaScript designed to initiate a reverse shell on package install," software supply chain security firm Phylum said.
[...] "In this particular case, the attacker published dozens of benign-sounding packages with several layers of obfuscation and deceptive tactics in an attempt to ultimately deploy a reverse shell on any machine that simply installs one of these packages," Phylum said.
The findings arrive close on the heels of revelations that two packages published to the Python Package Index (PyPI) under the garb of simplifying internationalization incorporated malicious code designed to siphon sensitive Telegram Desktop application data and system information.
Trojanized jQuery Packages Found on npm, GitHub, and jsDelivr Code Repositories:
Unknown threat actors have been found propagating trojanized versions of jQuery on npm, GitHub, and jsDelivr in what appears to be an instance of a "complex and persistent" supply chain attack.
"This attack stands out due to the high variability across packages," Phylum said in an analysis published last week.
"The attacker has cleverly hidden the malware in the seldom-used 'end' function of jQuery, which is internally called by the more popular 'fadeTo' function from its animation utilities."
[...] The malicious changes, per Phylum, have been introduced in a function named "end," allowing the threat actor to exfiltrate website form data to a remote URL.
Further investigation has found the trojanized jQuery file to be hosted on a GitHub repository associated with an account called "indexsc." Also present in the same repository are JavaScript files containing a script pointing to the modified version of the library.
"It's worth noting that jsDelivr constructs these GitHub URLs automatically without needing to upload anything to the CDN explicitly," Phylum said.
"This is likely an attempt by the attacker to make the source look more legitimate or to sneak through firewalls by using jsDelivr instead of loading the code directly from GitHub itself."
The development comes as Datadog identified a series of packages on the Python Package Index (PyPI) repository with capabilities to download a second-stage binary from an attacker-controlled server depending on the CPU architecture.
See also:
- How npm install scripts can be weaponized: A real-world example of a harmful npm package
- Why NPM and Yarn f*cking suck | HackerNoon