Malicious npm packages: SAP software compromised
Several SAP npm packages were exposed to a supply chain attack. The hacker group TeamPCP is behind it, say security researchers.
Updates are available.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
- Manuel Masiero
On April 29, the hacker group TeamPCP apparently injected malicious code into several npm packages of the German software company SAP. The payload of the manipulated package versions steals, among other things, SSH keys, cloud credentials, Kubernetes configurations, and GitHub tokens. Developers should act immediately, recommend the security researchers from Socket.
Socket lists four malicious npm packages in its blog, which were apparently distributed by the notorious hacker group TeamPCP: mbt@1.2.48, @cap-js/db-service@2.10.1, @cap-js/postgres@2.2.2, and @cap-js/sqlite@2.2.2. According to security researchers, the packages belong to SAP's JavaScript and cloud application development ecosystem and together have more than 550,000 downloads per week. The four packages were available on npmjs.com, the central package registry for JavaScript/Node.js packages operated by GitHub.
Videos by heise
Attack via modified package.json
The compromised packages each contain a modified package.json with the preinstall hook "preinstall" : "node setup.mjs". The setup.mjs script is executed automatically as soon as someone installs the package, whether locally or in a CI pipeline. The hook then triggers the download of a Bun binary from GitHub, unpacks it, and starts downloading the payload, the 11.7 MB file execution.js.
On developer systems, the infostealer malware targets numerous data types, including, for example, SSH keys and cloud access credentials for Amazon Web Services (AWS), Google Cloud Platform (GCP), Kubernetes, and Microsoft Azure. Also in focus are GitHub CLI and npm tokens, configuration files, and crypto wallets. The stolen data is then encrypted and sent to a GitHub repository. If the malware does not find GitHub credentials, it creates a new GitHub account and uses it for data exfiltration.
Shai-Hulud in miniature
According to security researchers from Onapsis, the malicious versions were in circulation for only about two to four hours in total. Socket still recommends that developers using the mentioned package versions update immediately and also advises renewing all access credentials used with the packages. Cleaned-up successor versions of the packages are available on npmjs.com. SAP has documented the incident in Security Note 3747787.
For Socket's security researchers, the current malware attack has many technical and operational similarities to the Shai-Hulud attacks that ran on a large scale last year. However, because the TeamPCP attack targets a smaller and specific ecosystem, they call it Mini Shai-Hulud.
(mro)
