Cybercriminals targeted users of packages with a total of 1.5 billion weekly dow...
source link: https://www.mend.io/resources/blog/cybercriminals-targeted-users-of-packages-with-a-total-of-1-5-billion-weekly-downloads-on-npm/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Cybercriminals targeted users of packages with a total of 1.5 billion weekly downloads on npm
Another week, another supply chain incident. It’s been only nine days since the Mend research team detected the dYdX incident, and today we have detected another supply chain malicious campaign.
On October 02, 2022 at 12:12 UTC, a new npm account was registered, and a package called nuiversalify was immediately uploaded. The same threat actor then proceeded to publish more typo/spellcheck squattings of popular packages until 14:03:29 UTC, with small but irregular time gaps between uploads. The irregular publishing cadence may suggest that for many name-cases, the npm typosquatting mechanism worked as expected.
In a typosquatting attack, an attacker publishes a malicious package with a similar name to a popular package, in the hope that a developer will misspell a package name and unintentionally fetch the malicious version.
In total, the threat actor published 155 packages to npm targeting users of the following packages:
Legit package name | Weekly downloads |
universality | 51,810,168 |
webidl-conversions | 61,052,599 |
shebang-command | 52,050,912 |
anymatch | 47,421,866 |
string-width | 98,034,656 |
tslib | 137,845,760 |
micromatch | 63,087,644 |
supports-color | 224,997,209 |
http-errors | 52,840,509 |
ansi-regex | 130,553,307 |
glob-parent | 68,724,436 |
ignore | 49,645,827 |
postcss-value-parser | 50,840,222 |
has-flag | 161,338,767 |
debug | 205,533,537 |
estraverse | 69,169,061 |
jsesc | 46,116,034 |
i18n | 240,385 |
Total | 1,571,302,899 |
Here are the names of the packages that were uploaded:
tsilb, nuiversalify3, micrmoatch, lgob-parent, glob-praent, http-rerors, postcss-valeu-parser, jsecs, y81n, ussports-color, stirng-width, string-wdith, webidl-conversinos, asni-regex, 1y8n, sypport-color, ahs-flag, igonre, string-iwdth, webidl-conversiosn, esrtaverse, hsa-flag, shebnag-command, webidl-covnersions, univesralify, webidl-conevrsions, strign-width, y1n8, suopport-colors, shebang-comamnd, microamtch, anymathc, uinversalify, naymatch, anis-regex, postcss-value-pasrer, ansi-reegx, webidl-convesrions, aynmatch, string-widht, wbeidl-conversions, glob-parnet, sheabng-command, ansi-rgeex, estraveres, stlib, shebang-commadn, soupports-colors, webidl-conversion, webdl-conversions, estravrese, http-erorrs, tsring-width, ignoer, has-falg, supports-colro, shebang-cmomand, deubg, shebagn-command, anmyatch, has-lfag, strnig-width, glob-aprent, opstcss-value-parser, shebang-ocmmand, supprots-color, hsebang-command, srting-width, aypports-color, estravesre, dupport-colors, nuiversalify, ansi-regxe, tlsib, spuports-color, glob-paernt, ginore, webdli-conversions, postcss-value-parsre, sehbang-command, has-flga, http-errosr, glbo-parent, golb-parent, postcss-value-paresr, string-witdh, ewbidl-conversions, universlaify, estraevrse, tslbi, suypport-colors, micormatch, thtp-errors, univeraslify, supoprts-color, ebidl-conversions, supports-cloor, anyamtch, syupport-colors, ignroe, webidl-conversoins, htpt-errors, postcss-vlaue-parser, supporst-color, postcss-value-praser, nuiversalify1, edbug, universailfy, potscss-value-parser, posctss-value-parser, postcss-avlue-parser, webid-conversions, univresalify, anymacth, ansi-ergex, uspport-colors, glob-paretn, webidl-ocnversions, weibdl-conversions, nasi-regex, uspports-color, micromacth, micromtach, universalfiy, anymtach, universaliyf, shebang-commnad, postscs-value-parser, postcss-vaule-parser, wbedil-conversions, imcromatch, http-errros, dypports-color, etsraverse, webidl-cnoversions, nuiversalify2, suppotrs-color, psotcss-value-parser, micromathc, postcss-value-aprser, jessc, mciromatch, supports-oclor, setraverse, jssec, sjesc, estarverse, ingore, estrvaerse, unievrsalify, mircomatch, postcss-val-parser, supports-coolr, webidl-convresions, webidl-converisons
Nature of the attack
In contrast to the dYdX campaign, this attack did not not target a specific organization. Rather, the threat actor opted to cast the widest net possible: with more than 1.5 billion (yes billion) downloads, the probability that someone would accidentally run npm install and make a typo is pretty high. Even if there was only one mistake out of f millions of downloads, it could result in the infection of tens if not hundreds of machines.
All of the uploaded packages had the same content. They contained:
- Readme is taken from the legit universalify package
- package.json with a preinstall hook
- MIT license of universalify
- The malicious exploder index.js file
the malicious code preinstall hook can be seen in line 25
Upon installation of this package, the malicious index.js would be executed. Its content was fairly simple. Aside from the boilerplate code, it tried to download a harmless-looking “README.txt.lnk” attachment from the discord CDN:
Why was discordapp selected as the source of the file? While we cannot know for sure, it may be that the attacker wanted to use a “legitime” source.
So, what does this enigmatic README.txt.lnk contain?
If you upload it to virustotal, there are several signatures from AV systems that trigger:
Inside of this file was another executable code:
That would download and run a VBS script:
And yet again, this VBS script when executed would perform few actions but the primary one was to download and install a backdoor password stealer/trojan:
Reducing Enterprise Application Security Risks:
More Work Needs to Be Done
Actions taken by Mend.io
The Mend Supply Chain Defender notified us about this malicious actor 17 minutes after the first package was published.
Once we confirmed that the attack was not a false positive, we reached out to npm and other parties involved and asked for the packages and the malicious content to be removed. All of the malicious packages were removed around 3pm UTC.
How to protect against similar attacks?
Sometimes, doing a manual review of installed packages is not enough – the preinstall hook used by the attacker is deceiving. Automated supply chain security solutions such as Mend Supply Chain Defender inform you when you import a malicious package that contains malicious code.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK