- Регистрация
- 17 Февраль 2018
- Сообщения
- 38 917
- Лучшие ответы
- 0
- Реакции
- 0
- Баллы
- 2 093
Offline
Incident hitting npm users is likely the biggest supply-chain attack ever.
Credit: Getty Images
Hackers planted malicious code in open source software packages with more than 2 billion weekly updates in what is likely to be the world’s biggest supply-chain attack ever.
The attack, which compromised nearly two dozen packages hosted on the npm repository, came to public notice on Monday in social media posts. Around the same time, Josh Junon, a maintainer or co-maintainer of the affected packages, said he had been “pwned” after falling for an email that claimed his account on the platform would be closed unless he logged into a site and updated his two-factor authentication credentials.
Defeating 2FA the easy way
“Sorry everyone, I should have paid more attention,” Junon, who uses the moniker Qix, wrote. “Not like me; have had a stressful week. Will work to get this cleaned up.”
The unknown attackers behind the account compromise wasted no time capitalizing on it. Within an hour’s time, dozens of open source packages Junon oversees had received updates that added malicious code for transferring cryptocurrency payments to attacker-controlled wallets. With more than 280 lines of code, the addition worked by monitoring infected systems for cryptocurrency transactions and chaining the addresses of wallets receiving payments to those controlled by the attacker.
The packages that were compromised, which at last count numbered 20, included some of the most foundational code driving the JavaScript ecosystem. They are used outright and also have thousands of dependents, meaning other npm packages that don’t work unless they are also installed. (npm is the official code repository for JavaScript files.)
“The overlap with such high-profile projects significantly increases the blast radius of this incident,” researchers from security firm Socket said. “By compromising Qix, the attackers gained the ability to push malicious versions of packages that are indirectly depended on by countless applications, libraries, and frameworks.”
The researchers added: “Given the scope and the selection of packages impacted, this appears to be a targeted attack designed to maximize reach across the ecosystem.”
The email message Junon fell for came from an email address at support.npmjs.help, a domain created three days ago to mimic the official npmjs.com used by npm. It said Junon’s account would be closed unless he updated information related to his 2FA—which requires users to present a physical security key or supply a one-time passcode provided by an authenticator app in addition to a password when logging in.
According to an analysis from security firm Akido, the malicious code injects itself into the web browser of infected systems and begins monitoring for transfers involving ethereum, bitcoin, solana, tron, litecoin, and bitcoin cash currencies. When such transactions are detected, the infected packages would then replace the destination wallets with attacker-controlled addresses. The malware worked by hooking JavaScript functions, including fetch, XMLHttpRequest, and wallet APIs. Hooking gives code control over functions so they can be stopped or altered at certain execution points.
Socket listed the following packages as affected:
Word of the attack on the npm repositories came as two other supply-chain attacks took aim at other repositories that are influential in the open-source software ecosystem. One, disclosed Friday by security firm GitGuardians, compromised 3,325 authentication secrets for accounts on PyPI, npm, DockerHUB, GitHub, Cloudflare, and Amazon Web Servcies. In all, 327 GitHub users across 817 repositories were affected.
In the attack, compromised maintainer accounts pushed package updates that added malicious GitHub Actions workflows that extracted tokens and other sorts of authentication secrets. As of Friday, GitGuardian said, nine npm and 15 PyPI packages were at risk of compromise.
A separate supply-chain attack also hit users of GitHub last month, security firm Wiz reported last week. It targeted Nx, an open source build system and repository management tool used in enterprise settings. The initial compromise started after obtaining a valid authentication token to an npm account.
The malicious code extracted GitHub and npm tokens stored on compromised systems. It also abuses AI command-line interfaces to identify additional files that may be useful for accessing repositories of interest. A second phase of the attack used the compromised GitHub tokens to expose private repositories by making them public on the victims’ GitHub profiles. The pilfered credentials were uploaded to GitHub repositories that contained the name s1ngularity-repository, forming the basis for the name s1ngularity that Wiz has given to the incident.
Credit: Getty Images
Hackers planted malicious code in open source software packages with more than 2 billion weekly updates in what is likely to be the world’s biggest supply-chain attack ever.
The attack, which compromised nearly two dozen packages hosted on the npm repository, came to public notice on Monday in social media posts. Around the same time, Josh Junon, a maintainer or co-maintainer of the affected packages, said he had been “pwned” after falling for an email that claimed his account on the platform would be closed unless he logged into a site and updated his two-factor authentication credentials.
Defeating 2FA the easy way
“Sorry everyone, I should have paid more attention,” Junon, who uses the moniker Qix, wrote. “Not like me; have had a stressful week. Will work to get this cleaned up.”
The unknown attackers behind the account compromise wasted no time capitalizing on it. Within an hour’s time, dozens of open source packages Junon oversees had received updates that added malicious code for transferring cryptocurrency payments to attacker-controlled wallets. With more than 280 lines of code, the addition worked by monitoring infected systems for cryptocurrency transactions and chaining the addresses of wallets receiving payments to those controlled by the attacker.
The packages that were compromised, which at last count numbered 20, included some of the most foundational code driving the JavaScript ecosystem. They are used outright and also have thousands of dependents, meaning other npm packages that don’t work unless they are also installed. (npm is the official code repository for JavaScript files.)
“The overlap with such high-profile projects significantly increases the blast radius of this incident,” researchers from security firm Socket said. “By compromising Qix, the attackers gained the ability to push malicious versions of packages that are indirectly depended on by countless applications, libraries, and frameworks.”
The researchers added: “Given the scope and the selection of packages impacted, this appears to be a targeted attack designed to maximize reach across the ecosystem.”
The email message Junon fell for came from an email address at support.npmjs.help, a domain created three days ago to mimic the official npmjs.com used by npm. It said Junon’s account would be closed unless he updated information related to his 2FA—which requires users to present a physical security key or supply a one-time passcode provided by an authenticator app in addition to a password when logging in.
According to an analysis from security firm Akido, the malicious code injects itself into the web browser of infected systems and begins monitoring for transfers involving ethereum, bitcoin, solana, tron, litecoin, and bitcoin cash currencies. When such transactions are detected, the infected packages would then replace the destination wallets with attacker-controlled addresses. The malware worked by hooking JavaScript functions, including fetch, XMLHttpRequest, and wallet APIs. Hooking gives code control over functions so they can be stopped or altered at certain execution points.
Socket listed the following packages as affected:
- backslash@0.2.1
- chalk@5.6.1
- chalk-template@1.1.1
- color-convert@3.1.1
- color-name@2.0.1
- color-string@2.1.1
- wrap-ansi@9.0.1
- supports-hyperlinks@4.1.1
- strip-ansi@7.1.1
- slice-ansi@7.1.1
- simple-swizzle@0.2.3
- is-arrayish@0.3.3
- error-ex@1.3.3
- has-ansi@6.0.1
- ansi-regex@6.2.1
- ansi-styles@6.2.2
- supports-color@10.2.1
- proto-tinker-wc@1.8.7
- debug@4.4.2
Word of the attack on the npm repositories came as two other supply-chain attacks took aim at other repositories that are influential in the open-source software ecosystem. One, disclosed Friday by security firm GitGuardians, compromised 3,325 authentication secrets for accounts on PyPI, npm, DockerHUB, GitHub, Cloudflare, and Amazon Web Servcies. In all, 327 GitHub users across 817 repositories were affected.
In the attack, compromised maintainer accounts pushed package updates that added malicious GitHub Actions workflows that extracted tokens and other sorts of authentication secrets. As of Friday, GitGuardian said, nine npm and 15 PyPI packages were at risk of compromise.
A separate supply-chain attack also hit users of GitHub last month, security firm Wiz reported last week. It targeted Nx, an open source build system and repository management tool used in enterprise settings. The initial compromise started after obtaining a valid authentication token to an npm account.
The malicious code extracted GitHub and npm tokens stored on compromised systems. It also abuses AI command-line interfaces to identify additional files that may be useful for accessing repositories of interest. A second phase of the attack used the compromised GitHub tokens to expose private repositories by making them public on the victims’ GitHub profiles. The pilfered credentials were uploaded to GitHub repositories that contained the name s1ngularity-repository, forming the basis for the name s1ngularity that Wiz has given to the incident.
