In a newly discovered supply chain attack, attackers last week targeted a range of npm-hosted JavaScript type testing utilities, several of which were successfully compromised to distribute malware.
Anyone automatically downloading these packages would have been exposed to a backdoor supply chain attack until cleaned versions were installed.
In one example on July 19, attackers loaded the popular is npm JavaScript type testing utility with malware that went unnoticed for six hours. The bad news was delivered by maintainer Jordan Harband in a post on Bluesky:
“Heads up that v3.3.1 of npmjs.com/is has malware in it, due to another maintainer’s account being hijacked,” he wrote.
The infected version was removed by npm admins and v3.3.0 reinstated as the latest, he added. Version 3.3.2 has since been published in its place, while another rogue version, 5.0.0., was also removed.
“The old owner was somehow removed from the npm package and emailed me to be re-added. Everything seemed normal, so I obliged (irritated the npm would remove an owner without notifying the other owners) and the next morning [the infected version] was published,” wrote Harband.
The is utility offers runtime external data validation and error checking. It’s not clear how many packages would have updated to the malware-infected version of is during the time it was online, but the fact that it’s currently downloaded almost 2.8 million times each week offers a clue to its appeal to attackers.
Spoofed emails
Unfortunately, the same campaign also targeted several other popular JavaScript type testing libraries using the same phishing tactic, in a campaign now dubbed Scavenger by researchers.
According to supply chain defense vendor Socket, affected packages targeted included eslint-config-prettier, eslint-plugin-prettier, synckit@0.11.9, @pkgr/core@0.2.8, napi-postinstall@0.3.1, and got-fetch.
Phishing emails targeted maintainers from a typosquatted domain, npnjs.org, easily confused with the legitimate npmjs.org.
Hunting ground
The Scavenger campaign is the sum of several things happening in multiple places at once, as part of much larger supply chain shenanigans. Putting the pieces of this kind of puzzle together takes days, which the attackers of course count on.
An obvious issue is the amount of scope there is to socially engineer and hijack maintainer accounts using old-school phishing. Given the importance of maintainers, this is a worry for anyone using npm packages. To make things worse, the Scavenger malware was missed by most anti-malware clients on VirusTotal.
It’s clear that perpetrators of malware campaigns are determined to infiltrate supply chains and see npm as a good hunting ground. Scavenger demonstrates that when attackers compromise packages, the malware they plant can be potent.
“The npm is package attack wasn’t just about Windows-specific DLLs. It used a cross-platform JavaScript malware loader. This JavaScript runs entirely in JavaScript on Node.js 12+ across macOS, Linux, and Windows, and it keeps a live Command and Control (C2) channel open,” pointed out Tom Hyslip, a cybercrime and cybersecurity expert at the University of South Florida.
But why npm packages? According to Max Gannon from anti-phishing vendor Cofense, package maintainers are simply inviting examples of high-privilege account holders with wide reach.
“Rather than working to compromise one company and being uncertain of the payoff, threat actors can compromise one developer and end up with their malware in hundreds, or even thousands of other companies,” said Gannon.
“Even if it takes ten times longer to compromise a developer, the payoff can be well over ten times what could have been made by compromising ten other companies in that same time period,” he pointed out.
What to do
In Hyslip’s view, beyond mandating multi-factor authentication (MFA) for maintainer accounts, developers should lock down dependencies using package-lock.json to stop malicious updates being applied across the dependency tree without the developer being aware. It is also a good idea to use tools to track installed versions, while relating these to known security vulnerabilities, he said.
Tools can be used to analyze packages before they are installed, while attestations and package versions can be cross-referenced with the other repositories. Given the targeting of npm and package platforms generally, developers should never automatically install new versions without vetting. especially since npm currently makes regular appearances in the list of most targeted package distribution platforms. In May, for example, Socket noticed 60 malicious npm packages, while in June, a further two destructive packages were discovered installing backdoors.
Pausing to check out updated packages runs counter to some hard-earned reflexes, noted Gannon: “The long-standing adage in the secure software sphere has been patch early, patch often. This, unfortunately, makes [package platforms] particularly vulnerable to supply chain attacks.”
No Responses