SoylentNews

Freeman [soylentnews.org] writes:

https://arstechnica.com/security/2024/07/code-sneaked-into-fake-aws-downloaded-hundreds-of-times-backdoored-dev-devices/ [arstechnica.com]

Researchers have determined that two fake AWS packages downloaded hundreds of times from the open source NPM JavaScript repository contained carefully concealed code that backdoored developers' computers when executed.

The packages—img-aws-s3-object-multipart-copy and legacyaws-s3-object-multipart-copy—were attempts to appear as aws-s3-object-multipart-copy [github.com], a legitimate JavaScript library for copying files using Amazon’s S3 cloud service. The fake files included all the code found in the legitimate library but added an additional JavaScript file named loadformat.js.
[...]
“We have reported these packages for removal, however the malicious packages remained available on npm for nearly two days,” researchers from Phylum, the security firm that spotted the packages, wrote [phylum.io]. “This is worrying as it implies that most systems are unable to detect and promptly report on these packages, leaving developers vulnerable to attack for longer periods of time.”
[...]
In the past 17 months, threat actors backed by the North Korean government have targeted [arstechnica.com] developers twice, one of those using a zero-day vulnerability [arstechnica.com].

Phylum researchers provided a deep-dive analysis of how the concealment worked
[...]
One of the most innovative methods in recent memory for concealing an open source backdoor was discovered in March [arstechnica.com], just weeks before it was to be included in a production release of the XZ Utils
[...]
The person or group responsible spent years working on the backdoor. Besides the sophistication of the concealment method, the entity devoted large amounts of time to producing high-quality code for open source projects in a successful effort to build trust with other developers.

In May, Phylum disrupted a separate campaign [phylum.io] that backdoored a package available in PyPI that also used steganography, a technique that embeds secret code into images.

“In the last few years, we’ve seen a dramatic rise in the sophistication and volume of malicious packages published to open source ecosystems,” Phylum researchers wrote. “Make no mistake, these attacks are successful. It is absolutely imperative that developers and security organizations alike are keenly aware of this fact and are deeply vigilant with regard to open source libraries they consume.”

Related stories on SoylentNews:
Trojanized jQuery Packages Found on Npm, GitHub, and jsDelivr Code Repositories [soylentnews.org] - 20240713
48 Malicious Npm Packages Found Deploying Reverse Shells on Developer Systems [soylentnews.org] - 20231104
Open-Source Security: It's Too Easy to Upload 'Devastating' Malicious Packages, Warns Google [soylentnews.org] - 20220504
Dev Corrupts NPM Libs 'Colors' and 'Faker' Breaking Thousands of Apps [soylentnews.org] - 20220111
Malicious NPM Packages are Part of a Malware “Barrage” Hitting Repositories [soylentnews.org] - 20211213
Heavily Used Node.js Package Has a Code Injection Vulnerability [soylentnews.org] - 20210227
Discord-Stealing Malware Invades NPM Packages [soylentnews.org] - 20210124
Here's how NPM Plans to Improve Security and Reliability in 2019 [soylentnews.org] - 20181217
NPM Fails Worldwide With "ERR! 418 I'm a Teapot" Error [soylentnews.org] - 20180530
Backdoored Python Library Caught Stealing SSH Credentials [soylentnews.org] - 20180511

Original Submission