FlagThis - #opensource

A surge in malicious packages targeting crypto wallets, Telegram tokens, and codebase integrity has been reported across npm, PyPI, and RubyGems, highlighting the persistent vulnerability of the open-source software supply chain. Threat actors are actively exploiting human trust by publishing clones of legitimate software packages. Once installed, these malicious clones execute harmful payloads, ranging from cryptocurrency theft to complete codebase deletion. Researchers have uncovered instances where Telegram API traffic is rerouted to attacker-controlled command-and-control servers, exfiltrating sensitive data like bot tokens, chat IDs, message content, and attached files.

This malicious activity is not limited to package repositories. A sophisticated campaign has been uncovered, utilizing deceptive websites spoofing Gitcodes and Docusign, to trick users into running malicious PowerShell scripts on their Windows machines. These websites lure victims into copying and pasting scripts into the Windows Run prompt, leading to the installation of the NetSupport RAT (Remote Access Trojan). The scripts often employ multi-stage downloaders, retrieving additional payloads from various domains to further compromise the infected system.

Sophos researchers also exposed a large-scale GitHub campaign where backdoored malware was disguised as legitimate tools. This campaign revolved around numerous repositories posing as exploits, game cheats, and open-source tools. Compiling the code triggered infection chains involving VBS scripts, PowerShell downloads, and obfuscated Electron apps, ultimately deploying info-stealers and RATs. These campaigns use various methods of deception, including automated commits to give the impression of active development and obfuscation of payloads to avoid detection, showing the lengths these actors will go to to exploit the software supply chain.


References :

• SecureWorld News: Malicious Open-Source Packages Target Crypto Wallets, Telegram Tokens, and Codebases
• The Hacker News: Fake DocuSign, Gitcode Sites Spread NetSupport RAT via Multi-Stage PowerShell Attack
• Catalin Cimpanu: A threat actor compromised 16 npm libraries from the Gluestack UI framework. The attacker compromised a Gluestack admin's account, added a RAT to the libraries, and pushed updates on Friday. It's the same threat actor behind the rand-user-agent package last month.
• securityaffairs.com: SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 48
• The Hacker News: New Supply Chain Malware Operation Hits npm and PyPI Ecosystems, Targeting Millions Globally
• www.linkedin.com: The attacker compromised a Gluestack admin's account, added a RAT to the libraries, and pushed updates on Friday.
• hackread.com: Hidden Backdoors in npm Packages Let Attackers Wipe Entire Systems
• bsky.app: A significant supply chain attack hit NPM after 15 popular Gluestack packages with over 950,000 weekly downloads were compromised to include malicious code that acts as a remote access trojan (RAT).
• BleepingComputer: Supply chain attack hits Gluestack NPM packages with 960K weekly downloads
• www.itpro.com: Developers beware: Malware has been found in a dozen popular NPM packages – here’s what you need to know

Classification:

• HashTags: #SupplyChain #Malware #OpenSource
• Company: Multiple
• Target: Developers, gamers, crypto users
• Product: npm, PyPI, RubyGems
• Feature: package management
• Malware: NetSupport RAT
• Type: Malware
• Severity: HighRisk

A concerning trend of hackers exploiting open-source software supply chains has been identified, with malicious backdoors being planted in Python and NPM packages. Security researchers at Checkmarx Zero have uncovered a sophisticated campaign where attackers are using typosquatting and name-confusion tactics to trick users into downloading harmful software. This cross-ecosystem approach targets both Windows and Linux systems, deploying multi-platform payloads with the capability to steal data and establish remote control. These findings highlight the growing need for enhanced security measures within open-source ecosystems to combat supply chain attacks.

This campaign leverages the Python Package Index (PyPI) and Node Package Manager (NPM) by mimicking legitimate software. Specifically, the attack targeted users of "colorama," a popular Python tool, and "colorizr," a similar JavaScript package, by uploading packages with names like "coloramapkgs" and "colorizator". The malicious packages carry dangerous payloads designed to give attackers remote access and control, allowing them to harvest and exfiltrate sensitive data. On Windows systems, the malware attempts to bypass antivirus software, while on Linux, it establishes encrypted connections, steals information, and maintains a hidden presence.

Fortunately, the identified malicious packages have been removed from public software repositories, limiting their immediate potential for damage. However, the lack of clear attribution data makes it difficult to trace the campaign back to a known adversary. Vet, an open-source tool designed to help developers and security engineers spot risks in their software supply chains, goes beyond traditional software composition analysis by detecting known vulnerabilities and flagging malicious packages. It supports ecosystems like npm, PyPI, Maven, Go, Docker, and GitHub Actions, assisting in the detection of supply chain attacks.


References :

• ciso2ciso.com: News and insights for CISOs from CISO2CISO.
• cyberpress.org: PyPI Supply Chain Attacks Hit Python and NPM Users on Windows and Linux, according to CyberPress.
• hackread.com: Hackread reports on Backdoors in Python and NPM Packages Target Windows and Linux.
• securityonline.info: Stealthy npm supply chain attack using typosquatting leads to remote code execution and data destruction.
• Cyber Security News: PyPI Supply Chain Attacks Hit Python and NPM Users on Windows and Linux
• The Hacker News: Malicious PyPI, npm, and Ruby Packages Exposed in Ongoing Open-Source Supply Chain Attacks
• securebulletin.com: Sophos exposes massive GitHub campaign distributing backdoored malware
• Catalin Cimpanu: A threat actor compromised 16 npm libraries from the Gluestack UI framework.
• securityaffairs.com: Over 950K weekly downloads at risk in ongoing supply chain attack on Gluestack packages
• The Hacker News: New Supply Chain Malware Operation Hits npm and PyPI Ecosystems, Targeting Millions Globally
• The Register - Security: Sophos thinks a single person or group called "ischhfd83" is behind more than a hundred backdoored malware variants targeting novice cybercriminals and video game cheaters looking to get their hands on malicious code.
• www.darknet.org.uk: Attackers are now exploiting GitHub's Dependabot to inject malicious code through pull request workflows. Learn how this happens and what real-world impact it can cause.
• Talkback Resources: TL;DR : Your trusty Dependabot (and other GitHub bots) might be an unwitting accomplice. Through "Confused Deputy" attacks, they can be tricked into merging malicious code.
• www.linkedin.com: LinkedIn Post discussing the Gluestack NPM supply chain attack
• BleepingComputer: Supply chain attack hits Gluestack NPM packages with 960K weekly downloads

Classification:

• HashTags: #SupplyChain #OpenSource #Malware
• Target: OSS Users
• Product: OSS
• Feature: Supply Chain Attack
• Type: Malware
• Severity: HighRisk

A widespread cryptojacking campaign is targeting misconfigured DevOps infrastructure, including Nomad, Consul, Docker, and Gitea, to illicitly mine Monero cryptocurrency. The attackers, tracked as JINX-0132, are exploiting known misconfigurations and vulnerabilities in publicly accessible web servers to deploy mining software. This campaign marks the first publicly documented instance of Nomad misconfigurations being exploited as an attack vector.

The JINX-0132 group uniquely avoids traditional identifiers, downloading tools directly from public GitHub repositories, including standard release versions of XMRig. This "living-off-open-source" approach complicates detection and clustering of their activities. They abuse insecure configurations and vulnerable software versions to hijack DevOps web servers.

HashiCorp Nomad and Consul, Docker API, and Gitea servers are being targeted. Affected Nomad instances can manage hundreds of clients, representing significant compute power. To prevent such attacks, organizations are advised to review their configurations, activate security features like access control lists (ACLs) for Nomad, and properly configure Consul to prevent unauthorized access and resource utilization.


References :

• The Hacker News: Cryptojacking Campaign Exploits DevOps APIs Using Off-the-Shelf Tools from GitHub
• www.scworld.com: Docker, HashiCorp, Gitea servers targeted in cryptojacking campaign
• Wiz Blog | RSS feed: DevOps Tools Targeted for Cryptojacking
• malware.news: Docker, HashiCorp, Gitea servers targeted in cryptojacking campaign
• The Register - Security: Illicit crypto-miners pouncing on lazy DevOps configs that leave clouds vulnerable
• securityaffairs.com: Cryptojacking campaign relies on DevOps tools
• www.csoonline.com: The high cost of misconfigured DevOps tools: Global cryptojacking hits enterprises
• www.it-daily.net: Cryptojacking campaign abuses DevOps APIs with GitHub tools
• Security Risk Advisors: Wiz Discovers JINX-0132 Cryptojacking Campaign Targeting Exposed DevOps Applications with Living-Off-Open-Source Strategy

Classification:

• HashTags: #Cryptojacking #DevOps #CloudSecurity
• Company: Multiple
• Target: DevOps infrastructure
• Product: Nomad, Consul, Docker, Gitea
• Feature: Web Servers
• Malware: XMRig
• Type: Malware
• Severity: Medium