Kworld Trend / npm packages face an influx of malware akashtdr, Attackers use increasingly malicious JavaScript packages to steal data, engage in cryptojacking and unleash botnets, providing a broad supply chain attack surface for threat actors.
More than 1,300 malicious packages have been identified in the most downloaded JavaScript package repository used by developers, npm, in the past six months – a rapid increase that illustrates how npm has become a launching pad for a range of nefarious activities.
New research by open source security and management company WhiteSource has discovered an alarming increase in the delivery of malicious npm packages, which are used as building blocks for web applications. Any application that uses a malicious code block can introduce data theft, cryptocurrency, botnet delivery, and more to its users.
Of the malicious packages found, the company said, 14 percent were designed to steal sensitive information such as credentials, while nearly 82 percent of those packages performed “scanning,” which involved adversaries actively or passively collecting information. Can be used to support targeting. .
npm packages face an influx of malware akashtdr
Because npm packages in general are downloaded more than 20 billion times a week — and thus installed across countless web-facing software components and applications around the world — exploiting them means plenty of room for attackers to play, the researchers said in a report Wednesday. . An average of 32,000 new package releases are published per minute each month (17,000 per day), and 68 percent of developers rely on it to create rich online functionality, according to WhiteSource.
The researchers said that this level of activity enables threat actors to launch a number of software supply chain attacks. Accordingly, WhiteSource investigated malicious activity in npm, identifying more than 1,300 malicious packages in 2021 – which were subsequently removed, but may have entered any number of applications prior to their removal.
“Attackers are focusing more efforts on using npm for their own nefarious purposes and targeting the software supply chain with npm,” they wrote in the report. “In these supply chain attacks, adversaries shift their attacks upstream by infecting existing components that are distributed downstream and potentially installed millions of times over.”
To boot, with so many npm packages released per month, it’s also easy for vulnerabilities to slip through the holes, the researchers noted.
Why npm attack?
JavaScript is the most widely used programming language, and there are about 16.4 million JavaScript developers globally, according to WhiteSource.
Its widespread use and deployment across applications and systems that use the Internet make the JavaScript ecosystem a prime target for attackers, the researchers said. The researchers said that Npm itself is one of the most popular package and registry managers, with more than 1.8 million active packages, each with an average of 12.3 versions.
Package registries like npm also store packages, their associated metadata, and the configurations needed to install them – all of which are attack vectors, which makes it difficult for IT to keep up with packages, especially when the need to keep track of package versions is factored in.
Furthermore, although npm and other registries play an essential role in the JavaScript development process, “there are minimal security standards associated with them” because most of them are maintained and verified by open source communities or consortia, the researchers said. This makes it ripe for exploitation by attackers, according to WhiteSource. npm packages face an influx of malware akashtdr
Cont
In fact, attackers are taking advantage of the malicious opportunity that npm presents and have already targeted its popular registries in several high-profile attacks last year.
In January, attackers used npm to spread CursedGrabber malware that can steal Discord tokens and thus enable attacks on user accounts and servers. Then in July, researchers discovered a malicious npm package that was stealing passwords via Chrome’s account recovery tool.
In December, attackers used npm to target Discord again, hiding malicious code inside a package manager to harvest Discord tokens that could be used to take over unsuspecting users’ accounts and servers.
What is npm and why is it important?
By the end of 2022, there will be more than two billion websites on the Internet, and this number is expected to continue to grow exponentially, given that 252,000 new websites are created every day. Approximately 98 percent of these sites use JavaScript, a programming language known for its popularity, speed, strong documentation, and interoperability with other programming languages.
According to the Stack Overflow 2020 Developer Survey, for the eighth year in a row, JavaScript is
the most used programming language globally. 67.7% of respondents use it. With an estimated worldwide developer community of 24.3 million active software developers – that’s over 16.4 million developers.
However, even as developers increasingly rely on JavaScript to create rich online functionality, the JavaScript ecosystem is under constant attack from malicious actors. A common attack method is to install JavaScript packages using various package managers, which are tools that automatically handle project dependencies. npm packages face an influx of malware akashtdr
Malware and its common targets and effects
WhiteSource researchers identified some of the most common malware hidden in malicious npm packages they observed in the report, with payloads that can steal credentials or encryption and run botnets among the top offenders.
Some of the malicious packages and their functionality identified by WhiteSource in their investigation include:
- mos-sass-loader and css-resources-loader , which share brandjacking for remote code execution (RCE);
- Admin Circle web app and browser warning UI , which identifies external packages including malware for download;
- grubhubprod_cookbook , which gets into dependency confusion with the aim of entering Grubhub company data
- H98dx , a remote executable shell that runs on install to infect the device; And
- azure-web-pubsub-express , which enables data aggregation that collects host information.
The researchers also described a supply chain attack they observed in October using a popular npm library, ua-parser-js, which is used to parse user agent strings to identify a user’s browser, operating system, device, and other attributes. They said the library has more than 7 million downloads per week.
Cont
The researchers explain that threat actors used ua-parser-js to leverage the software supply chain and gain access to sensitive data, as well as vulnerable enterprise resources in the cloud.
“The attackers inserted malicious code in three copies of ua-parser-js after apparently taking over the developer’s npm account,” the researchers wrote. Three new versions of this package have been released in an effort to get users to download it.
While the previous clean version of the package was 0.7.28, the attacker deployed identical 0.7.29, 0.8.0, and 1.0.0 packages, “each containing malicious code activated upon installation,” they explain.
The researchers added that the author of the package responded quickly to mitigate the attacks and try to reduce the number of people who inadvertently installed a malicious package by publishing 0.7.30, 0.8.1 and 1.0.1.
Researchers have concluded that developers should be particularly vigilant when downloading npm packages on weekends, because it is the most time of the week when attackers release malicious packages. They said this is likely because they are understaffed and therefore online, making it easier for their activity to go unnoticed. npm packages face an influx of malware akashtdr
comments
JFrog researchers wrote:
The obfuscated version of the code is enormous: more than 4,000 lines of unreadable code, which contains every possible method of obfuscation: malformed variable names, encrypted strings, code flattening and reflexive function calls:
Through manual analysis and scripting, we were able to decompile the package and reveal that its final payload is quite straightforward – the payload simply loops through known browsers’ local storage folders (and Discord-specific folders), then searches for strings that look like Discord code using a regular expression. Any found token is sent back via HTTP POST to the static server https://aba45cf.glitch.me/polarlindo.
Another package called fix-error claimed to fix bugs in the “selfbot” discord. It also contained malicious code that had been obfuscated, but in this case, it was easier for the researchers to decipher. Researchers soon determined that the hidden code was a stolen copy of PirateStealer , an app that steals credit card information, login credentials, and other private data stored in the Discord client. It works by injecting malicious Javascript code into the Discord client. The token then “sies” on the user and sends the stolen information to an encrypted address.
The third example is prerequests-xcode, which is a package that contains the functions of a remote access trojan. The researchers wrote:
Upon examining the package’s code, we discovered that it contains a Node.JS port of
DiscordRAT (originally written in Python) that gives the attacker complete control over the victim’s machine. Malware is masked with the popular online tool obfuscator.io , but in this case it is enough to examine the list of available commands to understand the functions of RAT (literally copy).
