heise PlusAbo
Anzeige

Major attack on node.js

A cryptocurrency thief got into the npm account of a hard-working developer via spearphishing. node.js packages with billions of downloads are affected.

listen Print view
Matrix display shows "A problem has to your comput" in a night-time environment

Symbol image

(Image: Middleclasstool CC-BY-SA 4.0 Intl)

5 min. read
Security
By
Contents

A major attack on the supply chain for software packages for the widely used JavaScript runtime environment node.js was discovered on Monday. The attacker has injected obfuscated malicious code into numerous popular packages via the package manager npm (formerly Node Package Manager). This is probably the largest successful attack on npm to date.

Around 20 affected packages from the repertoire of the developer qix are known, which are downloaded more than two billion times a week (!) in total. This alone means that the attack impacts large parts of the node.js universe. There is also an unconfirmed indication that packages from other developers may also have been contaminated with malware.

According to Jan-David Stärk, the malware discovered and investigated so far manipulates certain browser routines to intercept and manipulate data in the victim's web browser. This impacts both classic network traffic as well as traffic from and to application programming interfaces (APIs). In addition, routines in any installed browser extensions for cryptocurrency wallets are modified.

The aim of the attacker is apparently to steal units of the cryptocurrencies Bitcoin (BTC), Bitcoin Cash (BCH), Ethereum (ETH), Litecoin (LTC), Solana (SOL), and Tron (TRX). The malware waits for strings of characters that look like wallet addresses and replaces the legitimate addresses with other addresses that are presumably controlled by the attacker.

If the victim orders a transfer via a normal webpage in the browser, the malware replaces the target address with a false –, but not just any address, but one whose character string looks very similar. To achieve this, the attacker uses an algorithm that relies on the smallest possible Levenshtein distance. This makes it difficult for human eyes to recognize the differences in the target address.

Videos by heise

If the victim uses a wallet browser extension, the malicious code intercepts the transfer before it is signed and replaces the recipient's address in the working memory. The falsified transaction is then forwarded to the wallet for approval. If the user does not look very closely, they sign the fraudulent transfer.

The developer qix (Josh Junon) has confirmed the incident and immediately set about cleaning up the mess. Early Monday morning, he had received a request from support@npmjs.help to renew his two-factor authentication settings because they had been unchanged for twelve months. Unfortunately, there are still online services that require periodic password changes or similar measures, even though this is contrary to applicable security guidelines such as NIST SP 800-63B (Section 3.1.1.2). Changes to access data should only be enforced if there is reason to believe that the previously used data has been compromised or is otherwise insecure, for example, because passwords are too short.

The attacker combined the “shockingly genuine” order with the threat that the npm account would otherwise be shut down on Wednesday. Junon obeyed, and the trap snapped shut. “I should have been more careful, but it slipped through. I'm really sorry, it's embarrassing,” the developer doesn't hide the mishap.

Known affected packages

According to IT security company Aikido, these packages are affected:

  • ansi-regex
  • ansi-styles
  • backslash
  • chalk
  • chalk-template
  • color-convert
  • color-name
  • color-string
  • debug
  • error-ex
  • has-ansi
  • is-arrayish
  • simple-swizzle
  • slice-ansi
  • strip-ansi
  • supports-color
  • supports-hyperlinks
  • wrap-ansi

Socket.dev has also identified the package proto-tinker-wc. Several of the packages are managed by qix together with Sindre Sorhus, the npm developer with the largest number of downloads. The attacker has assigned the latest version numbers to the falsified packages to speed up their distribution. The code was obfuscated, and, according to Aikido, invisible characters and code in different directions (from left to right and from right to left) were included to make analysis more difficult. The known malware packages have since been removed from the npm database. However, it cannot currently be ruled out that older versions have also been infected or that other developer accounts on npm have been affected. And of course, numerous systems have probably already downloaded and installed the infected packages.

(ds)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten