CyberSecurity news
FlagThis - #npm
|
SC Staff@scmagazine.com
// 23d
The Lazarus Group, a North Korean APT, is actively targeting developers through the npm ecosystem by publishing malicious packages. These packages are designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy backdoors. The attackers use typosquatting, mimicking legitimate library names to deceive developers into downloading the compromised versions. The packages contain BeaverTail malware and the InvisibleFerret backdoor and exhibit identical obfuscation techniques, cross-platform targeting, and command-and-control mechanisms consistent with previous Lazarus campaigns.
Six malicious npm packages have been identified, including postcss-optimizer, is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, and react-event-dependency. These packages have been collectively downloaded over 330 times and contain the BeaverTail malware, which functions as both an infostealer and a loader designed to steal login credentials, exfiltrate sensitive data, and deploy backdoors in compromised systems. The Lazarus Group also maintained GitHub repositories for five of the malicious packages, lending an appearance of open source legitimacy. Recommended read:
References :
lucija.valentic@reversinglabs.com (Lucija@Blog (Main)
// 8d
A new malware campaign has been discovered targeting developers through malicious npm packages. Researchers at ReversingLabs identified two packages, ethers-provider2 and ethers-providerz, designed to inject reverse shells into locally installed instances of the popular 'ethers' library. This allows attackers to gain remote access to compromised systems. The attack cleverly hides its malicious payload, modifying legitimate files to ensure persistence even after the initial packages are removed.
This campaign showcases a sophisticated approach to software supply chain attacks. The malicious packages act as downloaders, patching the 'ethers' library with a reverse shell. Once 'ethers' is reinstalled, the modifications are reintroduced, granting attackers continued access. ReversingLabs detected the threat using their Spectra platform and have developed a YARA rule to identify compromised systems. While ethers-providerz has been removed, ethers-provider2 remains available, posing a substantial risk, especially if such tactics are deployed against more popular npm packages in the future. Recommended read:
References :
Pierluigi Paganini@Security Affairs
// 72d
Multiple malicious npm packages have been discovered targeting Solana private keys, posing a significant threat to users of Solana wallets. These packages, including '@async-mutex/mutex', 'dexscreener', 'solana-transaction-toolkit', and 'solana-stable-web-huks', use techniques like typosquatting to appear legitimate while secretly stealing and exfiltrating private keys. The threat actors utilize similar code to intercept private keys during wallet interactions and then route the stolen data through Gmail's SMTP servers. This leverages Gmail’s trusted status to evade detection by security systems, making it more difficult for firewalls to identify the malicious activity.
The malicious packages not only steal private keys but also actively drain victims' wallets. Packages such as 'solana-transaction-toolkit' and 'solana-stable-web-huks' have been found to transfer up to 98% of funds from the user's wallet to attacker-controlled addresses. Additionally, the threat actors have created fake GitHub repositories designed to look like helpful Solana development tools in order to further spread the malicious code. Security researchers have urged users to be cautious when downloading packages, especially those with unusual names or low download counts. While these packages are active, efforts are underway to remove them and associated GitHub repositories. Recommended read:
References :
info@thehackernews.com (The Hacker News)@The Hacker News
// 87d
Ethereum developers are being targeted by a supply chain attack involving malicious npm packages designed to look like legitimate Hardhat plugins. These fake packages, with names closely resembling real ones, are being used to steal sensitive data, including private keys and mnemonics. Researchers have identified at least 20 of these malicious packages, which have collectively been downloaded over 1,000 times. The attack exploits trust in the open-source ecosystem, specifically within the npm registry. Once installed, the malicious packages use Hardhat runtime functions to collect sensitive information and transmit it to attacker-controlled endpoints.
The attackers are using Ethereum smart contracts to store and distribute Command & Control (C2) server addresses, making it more difficult to disrupt their infrastructure. This strategy, combined with using hardcoded keys and Ethereum addresses, enables efficient data exfiltration. The campaign is attributed to a Russian-speaking threat actor known as "_lain." The compromised development environments could lead to backdoors in production systems and significant financial losses for affected developers. Developers are urged to verify package authenticity, inspect source code, and exercise caution when using package names. Recommended read:
References :
@socket.dev
// 62d
The North Korean state-sponsored hacking group Lazarus has been identified as the source of a sophisticated supply chain attack that targets software developers. The group employed a malicious Node Package Manager (NPM) package named "postcss-optimizer" to deliver malware. This package deceptively mimics the widely used postcss libraries. Security researchers at Socket discovered the malicious package and linked it directly to Lazarus Group, noting its code-level similarities to previous campaigns. The "postcss-optimizer" package has been downloaded 477 times and serves as a vector for deploying BeaverTail malware.
Once installed, BeaverTail functions as both an infostealer and a malware loader. It is designed to compromise systems across Windows, macOS, and Linux. The malware's targets include browser cookies, credentials, and cryptocurrency wallet files. The information is exfiltrated to a command-and-control server. It is suspected to deliver secondary payloads such as InvisibleFerret, a known backdoor associated with Lazarus. The attackers used the deceptive npm registry alias "yolorabbit" to further confuse developers, who might have believed they were downloading legitimate software. Recommended read:
References :
@github.com
// 77d
References:
checkmarx.com
, malware.news
,
A significant issue has arisen within the NPM ecosystem due to confusion between two similar commands: `npm add user` and `npm adduser`. The command `npm add user`, intended as an alias for `npm install`, has inadvertently led a large number of developers to install a package named 'user'. This error stems from the similarity in commands and the chance of a developer hitting a whitespace when quickly typing 'npm adduser', which is used to create a user in the registry. This oversight, which was pointed out in a Pull Request but ignored, underscores a concerning supply chain vulnerability that could be exploited.
This innocent looking ‘user’ package, currently a simple hello-world application, has been downloaded nearly 12 million times. The concern is that the benign package could be updated in the future to include malicious code. NPM reports 2760 dependent packages, with at least 20 added in December 2024 alone, indicating the widespread nature of this mistake. This means that a future update to the ‘user’ package would pose a risk to the thousands of developers who have inadvertently installed it and any packages that depend on it, turning a simple typo into a potential security nightmare. Recommended read:
References :
|