New NPM attack: Self-replicating malware infects dozens of packages
It is possible that the attackers behind this attack are the same ones as last time. Their malicious code bears the name of a prominent science fiction monster.
(Image: Trismegist san/Shutterstock.com)
Various IT security companies are warning of new attacks on the npm ecosystem around node.js. Several dozen packages (at least 40, in one report as many as 150) are infected with malware that steals secret data and leaks it via a webhook. In addition, the malware replicates itself – and is therefore a worm.
npm, the Node Package Manager, cannot rest. After unknown attackers recently phished the access data of a prominent developer and injected manipulated packages, the distribution station for node.js libraries now has to contend with a full-blown worm.
As StepSecurity and Socket both report, the compromised packages include @ctrl/tinycolor, which is downloaded around two million times a week. Around a dozen other packages from the developer @ctrl are also affected, some from the Nativescript community and, as Aikido lists, even those from the security company Crowdstrike.
The malicious code uses "TruffleHog" to sniff out interesting data, such as API credentials and access data for GitHub and the Google and Amazon clouds. It then creates GitHub repositories and workflows and exfiltrates its prey via a webhook on the webhook.site domain. And it apparently has the ability to replicate itself by infecting other packages and uploading trojanised package versions.
It is still unclear where the attack began – the three analysing companies do not name a clear "patient zero". The authors of the attack are also unknown, possibly the same as in the last attack.
Videos by heise
Godlike npm worm?
Curious: The attackers are obviously science fiction fans. The worm component of their malware creates a GitHub repository called "Shai-Hulud" and corresponding workflows. "Shai-Hulud", originally Arabic for "thing of immortality", is the name of the monumental sandworms in Frank Herbert's epic "Dune". The inhabitants of the desert planet worship the sand worms as god-like.
(Image:Â Warner Bros. Pictures)
JavaScript developers and especially the administrators of packages hosted on npm should exercise the utmost caution and consult the extensive list of infected packages. Anyone who finds infected versions in their own projects should delete them immediately, change all access IDs, invalidate tokens and clean up their own GitHub repositories. StepSecurity's blog entry provides detailed instructions.
(cku)
