Mar 21, 2024NewsroomSoftware Security / Open Source

New research has discovered over 800 packages in the npm registry which have discrepancies from their registry entries, out of which 18 have been found to exploit a technique called manifest confusion.

The findings come from cybersecurity firm JFrog, which said the issue could be exploited by threat actors to trick developers into running malicious code.

“It’s an actual threat since developers may be tricked into downloading packages that look innocent, but whose hidden dependencies are actually malicious,” security researcher Andrey Polkovnichenko told The Hacker News.

Manifest confusion was first documented in July 2023, when security researcher Darcy Clarke found that mismatches in manifest and package metadata could be weaponized to stage software supply chain attacks.

The problem stems from the fact that the npm registry does not validate whether the manifest file contained in the tarball (package.json) matches the manifest data provided to the npm server during the publishing process via an HTTP PUT request to the package URI endpoint.

As a result, a threat actor could take advantage of this lack of cross verification to supply a different manifest containing hidden dependencies that’s processed during package installation to stealthily install malicious dependencies onto the developer’s system.

“The visible, or ‘fake,’ manifest can mislead developers and even audit tools that rely on the data available in the npm registry database,” JFrog said. “In reality, the installer takes the file package.json from the tarball, which may be different from the visible one supplied in the HTTP PUT request.”

The company said it identified more than 800 packages where there was a mismatch between the manifest in the npm registry and the package.json file inside the tarball.

While many of these mismatches are the result of protocol specification differences or variations in the scripts section of the package file, 18 of them are said to have been designed to exploit manifest confusion.

A notable package in question is yatai-web-ui, which is designed to send an HTTP request to a server with information about the IP address of the machine in which the package was installed.

The findings show that the attack vector seems to have never been put to use by threat actors. That said, it’s crucial that developers take steps to ensure the packages are free of suspicious behaviors.

“Since this issue was not resolved by npm, trusting packages only by how they look on npm’s website, might be risky,” Polkovnichenko said.

“Organizations should introduce procedures that verify that all packages that enter the organization or are used by their dev teams are safe and can be trusted. Specifically in the case of manifest confusion, it’s required that every package is analyzed to see if there are any hidden dependencies.”

Mar 12, 2024The Hacker NewsCryptocurrency / Cybercrime

Threat hunters have discovered a set of seven packages on the Python Package Index (PyPI) repository that are designed to steal BIP39 mnemonic phrases used for recovering private keys of a cryptocurrency wallet.

The software supply chain attack campaign has been codenamed BIPClip by ReversingLabs. The packages were collectively downloaded 7,451 times prior to them being removed from PyPI. The list of packages is as follows –

BIPClip, which is aimed at developers working on projects related to generating and securing cryptocurrency wallets, is said to be active since at least December 4, 2022, when hashdecrypt was first published to the registry.

“This is just the latest software supply chain campaign to target crypto assets,” security researcher Karlo Zanki said in a report shared with The Hacker News. “It confirms that cryptocurrency continues to be one of the most popular targets for supply chain threat actors.”

In a sign that the threat actors behind the campaign were careful to avoid detection, one of the packages in question — mnemonic_to_address — was devoid of any malicious functionality, barring listing bip39-mnemonic-decrypt as its dependency, which contained the malicious component.

“Even if they did opt to look at the package’s dependencies, the name of the imported module and invoked function are carefully chosen to mimic legitimate functions and not raise suspicion, since implementations of the BIP39 standard include many cryptographic operations,” Zanki explained.

The package, for its part, is designed to steal mnemonic phrases and exfiltrate the information to an actor-controlled server.

Two other packages identified by ReversingLabs – public-address-generator and erc20-scanner – operate in an analogous fashion, with the former acting as a lure to transmit the mnemonic phrases to the same command-and-control (C2) server.

On the other hand, hashdecrypts functions a little differently in that it’s not conceived to work as a pair and contains within itself near-identical code to harvest the data.

The package, per the software supply chain security firm, includes references to a GitHub profile named “HashSnake,” which features a repository called hCrypto that’s advertised as a way to extract mnemonic phrases from crypto wallets using the package hashdecrypts.

A closer examination of the repository’s commit history reveals that the campaign has been underway for over a year based on the fact that one of the Python scripts previously imported the hashdecrypt (without the “s”) package instead of hashdecrypts until March 1, 2024, the same date hashdecrypts was uploaded to PyPI.

It’s worth pointing out that the threat actors behind the HashSnake account also have a presence on Telegram and YouTube to advertise their warez. This includes releasing a video on September 7, 2022, showcasing a crypto logs checker tool dubbed xMultiChecker 2.0.

“The content of each of the discovered packages was carefully crafted to make them look less suspicious,” Zanki said.

“They were laser focused on compromising crypto wallets and stealing the crypto currencies they contained. That absence of a broader agenda and ambitions made it less likely this campaign would trip up security and monitoring tools deployed within compromised organizations.”

The findings once again underscore the security threats that lurk within open-source package repositories, which is exacerbated by the fact that legitimate services like GitHub are used as a conduit to distribute malware.

Furthermore, abandoned projects are becoming an attractive vector for threat actors to seize control of the developer accounts and publish trojanized versions that could then pave the way for large-scale supply chain attacks.

“Abandoned digital assets are not relics of the past; they are ticking time bombs and attackers have been increasingly taking advantage of them, transforming them into trojan horses within the open-source ecosystems,” Checkmarx noted last month.

“MavenGate and CocoaPods case studies highlight how abandoned domains and subdomains could be hijacked to mislead users and spread malicious intent.”

Feb 26, 2024The Hacker NewsSoftware Security / Cryptocurrency

A set of fake npm packages discovered on the Node.js repository has been found to share ties with North Korean state-sponsored actors, new findings from Phylum show.

The packages are named execution-time-async, data-time-utils, login-time-utils, mongodb-connection-utils, and mongodb-execution-utils.

One of the packages in question, execution-time-async, masquerades as its legitimate counterpart execution-time, a library with more than 27,000 weekly downloads. Execution-time is a Node.js utility used to measure execution time in code.

It “actually installs several malicious scripts including a cryptocurrency and credential stealer,” Phylum said, describing the campaign as a software supply chain attack targeting software developers. The package was downloaded 302 times since February 4, 2024, before being taken down.

In an interesting twist, the threat actors made efforts to conceal the obfuscated malicious code in a test file, which is designed to fetch next-stage payloads from a remote server, steal credentials from web browsers like Brave, Google Chrome, and Opera, and retrieve a Python script, which, in turn, downloads other scripts –

• ~/.n2/pay, which can run arbitrary commands, download and launch ~/.n2/bow and ~/.n2/adc, terminate Brave and Google Chrome, and even delete itself
• ~/.n2/bow, which is a Python-based browser password stealer
• ~/.n2/adc, which installs AnyDesk on Windows

Phylum said it identified comments in the source code (“/Users/ninoacuna/”) that made it possible to track down a now-deleted GitHub profile with the same name (“Nino Acuna” or binaryExDev) containing a repository called File-Uploader.

Present within the repository were Python scripts referencing the same IP addresses (162.218.114[.]83 – subsequently changed to 45.61.169[.]99) used to fetch the aforementioned Python scripts.

It’s suspected that the attack is a work in progress, as at least four more packages with identical features have made their way to the npm package repository, attracting a total of 325 downloads –

Connections to North Korean Actors Emerge

Phylum, which also analyzed the two GitHub accounts that binaryExDev follows, uncovered another repository known as mave-finance-org/auth-playground, which has been forked no less than a dozen times by other accounts.

While forking a repository in itself isn’t unusual, an unusual aspect of some of these forked repositories were that they were renamed as “auth-demo” or “auth-challenge,” raising the possibility that the original repository may have been shared as part of a coding test for a job interview.

The repository was later moved to banus-finance-org/auth-sandbox, Dexbanus-org/live-coding-sandbox, and mave-finance/next-assessment, indicating attempts to actively get around GitHub’s takedown attempts. All these accounts have been removed.

What’s more, the next-assessment package was found to contain a dependency “json-mock-config-server” that’s not listed on the npm registry, but rather served directly from the domain npm.mave[.]finance.

It’s worth noting that Banus claims to be a decentralized perpetual spot exchange based in Hong Kong, with the company even posting a job opportunity for a senior frontend developer on February 21, 2024. It’s currently not clear if this is a genuine job opening or if it’s an elaborate social engineering scheme.

The connections to North Korean threat actors come from the fact that the obfuscated JavaScript embedded in the npm package overlaps with another JavaScript-based malware dubbed BeaverTail that’s propagated via npm packages. The campaign was codenamed Contagious Interview by Palo Alto Networks Unit 42 in November 2023.

Contagious Interview is a little different from Operation Dream Job – which is linked to the Lazarus Group – in that it’s mainly focused on targeting developers through fake identities in freelance job portals to trick them into installing rogue npm packages, Michael Sikorski, vice president and CTO of Palo Alto Networks Unit 42, told The Hacker News at the time.

One of the developers who fell victim to the campaign has since confirmed to Phylum that the repository is shared under the guise of a live coding interview, although they said they never installed it on their system.

“More than ever, it is important for both individual developers as well as software development organizations to remain vigilant against these attacks in open-source code,” the company said.

Feb 20, 2024NewsroomMalware / Supply Chain Security

Cybersecurity researchers have discovered two malicious packages on the Python Package Index (PyPI) repository that were found leveraging a technique called DLL side-loading to circumvent detection by security software and run malicious code.

The packages, named NP6HelperHttptest and NP6HelperHttper, were each downloaded 537 and 166 times, respectively, before they were taken down.

“The latest discovery is an example of DLL sideloading executed by an open-source package that suggests the scope of software supply chain threats is expanding,” ReversingLabs researcher Petar Kirhmajer said in a report shared with The Hacker News.

The name NP6 is notable as it refers to a legitimate marketing automation solution made by ChapsVision. In particular, the fake packages are typosquats of NP6HelperHttp and NP6HelperConfig, which are helper tools published by one of ChapsVision’s employees to PyPI.

In other words, the goal is to trick developers searching for NP6HelperHttp and NP6HelperConfig into downloading their rogue counterparts.

Contained within the two libraries is a setup.py script that’s designed to download two files, an actual executable from Beijing-based Kingsoft Corporation (“ComServer.exe”) that’s vulnerable to DLL side-loading and the malicious DLL to be side-loaded (“dgdeskband64.dll”).

In side-loading the DLL, the aim is to avoid detection of the malicious code, as observed previously in the case of an npm package called aabquerys that also leveraged the same technique to execute code capable of deploying a remote access trojan.

The DLL, for its part, reaches out to an attacker-controlled domain (“us.archive-ubuntu[.]top”) to fetch a GIF file that, in reality, is a piece of shellcode for a Cobalt Strike Beacon, a post-exploitation toolkit used for red teaming.

There is evidence to suggest that the packages are part of a wider campaign that involves the distribution of similar executables that are susceptible to DLL side-loading.

“Development organizations need to be aware of the threats related to supply chain security and open-source package repositories,” security researcher Karlo Zanki said.

“Even if they are not using open-source package repositories, that doesn’t mean that threat actors won’t abuse them to impersonate companies and their software products and tools.”

Feb 14, 2024NewsroomSoftware Security / Vulnerability

Cybersecurity researchers have found that it’s possible for threat actors to exploit a well-known utility called command-not-found to recommend their own rogue packages and compromise systems running Ubuntu operating system.

“While ‘command-not-found’ serves as a convenient tool for suggesting installations for uninstalled commands, it can be inadvertently manipulated by attackers through the snap repository, leading to deceptive recommendations of malicious packages,” cloud security firm Aqua said in a report shared with The Hacker News.

Installed by default on Ubuntu systems, command-not-found suggests packages to install in interactive bash sessions when attempting to run commands that are not available. The suggestions include both the Advanced Packaging Tool (APT) and snap packages.

When the tool uses an internal database (“/var/lib/command-not-found/commands.db”) to suggest APT packages, it relies on the “advise-snap” command to suggest snaps that provide the given command.

Thus, should an attacker be able to game this system and have their malicious package recommended by the command-not-found package, it could pave the way for software supply chain attacks.

Aqua said it found a potential loophole wherein the alias mechanism can be exploited by the threat actor to potentially register the corresponding snap name associated with an alias and trick users into installing the malicious package.

What’s more, an attacker could claim the snap name related to an APT package and upload a malicious snap, which then ends up being suggested when a user types in the command on their terminal.

“The maintainers of the ‘jupyter-notebook’ APT package had not claimed the corresponding snap name,” Aqua said. “This oversight left a window of opportunity for an attacker to claim it and upload a malicious snap named ‘jupyter-notebook.'”

To make matters worse, the command-not-found utility suggests the snap package above the legitimate APT package for jupyter-notebook, misleading users into installing the fake snap package.

As many as 26% of the APT package commands are vulnerable to impersonation by malicious actors, Aqua noted, presenting a substantial security risk, as they could be registered under an attacker’s account.

A third category entails typosquatting attacks in which typographical errors made by users (e.g., ifconfigg instead of ifconfig) are leveraged to suggest bogus snap packages by registering a fraudulent package with the name “ifconfigg.”

In such a case, command-not-found “would mistakenly match it to this incorrect command and recommend the malicious snap, bypassing the suggestion for ‘net-tools’ altogether,” Aqua researchers explained.

Describing the abuse of the command-not-found utility to recommend counterfeit packages as a pressing concern, the company is urging users to verify the source of a package before installation and check the maintainers’ credibility.

Developers of APT and snap packages have also been advised to register the associated snap name for their commands to prevent them from being misused.

“It remains uncertain how extensively these capabilities have been exploited, underscoring the urgency for heightened vigilance and proactive defense strategies,” Aqua said.

Jan 29, 2024NewsroomPyPI Repository / Malware

Cybersecurity researchers have identified malicious packages on the open-source Python Package Index (PyPI) repository that deliver an information stealing malware called WhiteSnake Stealer on Windows systems.

The malware-laced packages are named nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111. They have been uploaded by a threat actor named “WS.”

“These packages incorporate Base64-encoded source code of PE or other Python scripts within their setup.py files,” Fortinet FortiGuard Labs said in an analysis published last week.

“Depending on the victim devices’ operating system, the final malicious payload is dropped and executed when these Python packages are installed.”

While Windows systems are infected with WhiteSnake Stealer, compromised Linux hosts are served a Python script designed to harvest information. The activity, which predominantly targets Windows users, overlaps with a prior campaign that JFrog and Checkmarx disclosed last year.

“The Windows-specific payload was identified as a variant of the […] WhiteSnake malware, which has an Anti-VM mechanism, communicates with a C&C server using the Tor protocol, and is capable of stealing information from the victim and executing commands,” JFrog noted in April 2023.

It’s also designed to capture data from web browsers, cryptocurrency wallets, and apps like WinSCP, CoreFTP, Windscribe, Filezilla, AzireVPN, Snowflake, Steam, Discord, Signal, and Telegram.

Checkmarx is tracking the threat actor behind the campaign under the moniker PYTA31, stating the end goal is to exfiltrate sensitive and particularly crypto wallet data from the target machines.

Some of the newly published rogue packages have also been observed incorporating clipper functionality to overwrite clipboard content with attacker-owned wallet addresses to carry out unauthorized transactions. A few others have been configured to steal data from browsers, applications, and crypto services.

Fortinet said the finding “demonstrates the ability of a single malware author to disseminate numerous info-stealing malware packages into the PyPI library over time, each featuring distinct payload intricacies.”

The disclosure comes as ReversingLabs discovered two malicious packages on the npm package registry have been found to leverage GitHub to store Base64-encrypted SSH keys stolen from developer systems on which they were installed.

Jan 23, 2024NewsroomSoftware Security / Supply Chain

Two malicious packages discovered on the npm package registry have been found to leverage GitHub to store Base64-encrypted SSH keys stolen from developer systems on which they were installed.

The modules named warbeast2000 and kodiak2k were published at the start of the month, attracting 412 and 1,281 downloads before they were taken down by the npm maintainers. The most recent downloads occurred on January 21, 2024.

Software supply chain security firm ReversingLabs, which made the discovery, said there were eight different versions of warbeast2000 and more than 30 versions of kodiak2k.

Both the modules are designed to run a postinstall script after installation, which is designed to retrieve and execute two different JavaScript files.

While warbeast2000 attempts to access the private SSH key, kodiak2k is designed to look for a key named “meow,” raising the possibility that the threat actor likely used a placeholder name during the early stages of the development.

“This second stage malicious script reads the private SSH key stored in the id_rsa file located in the <homedir>/.ssh directory,” security researcher Lucija Valentić said. “It then uploaded the Base64-encoded key to an attacker-controlled GitHub repository.”

Subsequent versions of kodiak2k were found to execute a script found in an archived GitHub project hosting the Empire post-exploitation framework. The script is capable of launching the Mimikatz hacking tool to dump credentials from process memory.

“The campaign is just the latest example of cybercriminals and malicious actors using open source package managers and related infrastructure to support malicious software supply chain campaigns that target development organizations and end-user organizations,” Valentić said.

Jan 04, 2024NewsroomCryptocurrency Miner / Malware

Three new malicious packages have been discovered in the Python Package Index (PyPI) open-source repository with capabilities to deploy a cryptocurrency miner on affected Linux devices.

The three harmful packages, named modularseven, driftme, and catme, attracted a total of 431 downloads over the past month before they were taken down.

“These packages, upon initial use, deploy a CoinMiner executable on Linux devices,” Fortinet FortiGuard Labs researcher Gabby Xiong said, adding the campaign shares overlaps with a prior campaign that involved the use of a package called culturestreak to deploy a crypto miner.

The malicious code resides in the __init__.py file, which decodes and retrieves the first stage from a remote server, a shell script (“unmi.sh”) that fetches a configuration file for the mining activity as well as the CoinMiner file hosted on GitLab.

The ELF binary file is then executed in the background using the nohup command, thus ensuring that the process continues to run after exiting the session.

“Echoing the approach of the earlier ‘culturestreak’ package, these packages conceal their payload, effectively reducing the detectability of their malicious code by hosting it on a remote URL,” Xiong said. “The payload is then incrementally released in various stages to execute its malicious activities.”

The connections to the culturestreak package also stems from the fact that the configuration file is hosted on the domain papiculo[.]net and the coin mining executables are hosted on a public GitLab repository.

One notable improvement in the three new packages is the introduction of an extra stage by concealing their nefarious intent in the shell script, thereby helping it evade detection by security software and lengthening the exploitation process.

“Moreover, this malware inserts the malicious commands into the ~/.bashrc file,” Xiong said. “This addition ensures the malware’s persistence and reactivation on the user’s device, effectively extending the duration of its covert operation. This strategy aids in the prolonged, stealthy exploitation of the user’s device for the attacker’s benefit.”

Dec 14, 2023NewsroomMalware / Supply Chain Attack

Cybersecurity researchers have identified a set of 116 malicious packages on the Python Package Index (PyPI) repository that are designed to infect Windows and Linux systems with a custom backdoor.

“In some cases, the final payload is a variant of the infamous W4SP Stealer, or a simple clipboard monitor to steal cryptocurrency, or both,” ESET researchers Marc-Etienne M.Léveillé and Rene Holt said in a report published earlier this week.

The packages are estimated to have been downloaded over 10,000 times since May 2023.

The threat actors behind the activity have been observed using three techniques to bundle malicious code into Python packages, namely via a test.py script, embedding PowerShell in setup.py file, and incorporating it in obfuscated form in the __init__.py file.

Irrespective of the method used, the end goal of the campaign is to compromise the targeted host with malware, primarily a backdoor capable of remote command execution, data exfiltration, and taking screenshots. The backdoor module is implemented in Python for Windows and in Go for Linux.

Alternately, the attack chains also culminate in the deployment of W4SP Stealer or a clipper malware designed to keep close tabs on a victim’s clipboard activity and swapping the original wallet address, if present, with an attacker-controlled address.

The development is the latest in a wave of compromised Python packages attackers have released to poison the open-source ecosystem and distribute a medley of malware for supply chain attacks.

It’s also the newest addition to a steady stream of bogus PyPI packages that have acted as a stealthy channel for distributing stealer malware. In May 2023, ESET revealed another cluster of libraries that were engineered to propagate Sordeal Stealer, which borrows its features from W4SP Stealer.

Then, last month, malicious packages masquerading as seemingly innocuous obfuscation tools were found to deploy a stealer malware codenamed BlazeStealer.

“Python developers should thoroughly vet the code they download, especially checking for these techniques, before installing it on their systems,” the researchers cautioned.

The disclosure also follows the discovery of npm packages that were found targeting an unnamed financial institution as part of an “advanced adversary simulation exercise.” The names of the modules, which contained an encrypted blob, have been withheld to protect the identity of the organization.

“This decrypted payload contains an embedded binary that cleverly exfiltrates user credentials to a Microsoft Teams webhook that is internal to the target company in question,” software supply chain security firm Phylum disclosed last week.