- Criminals add hundreds of malicious packages to npm
- The packets attempt to retrieve a phase-two payload to infect the machines
- The crooks went out of their way to hide where they hosted the malware
Software developers, especially those working with cryptocurrencies, are once again facing a supply chain attack via open source code repositories.
Cybersecurity researchers at Phylum have warned that a threat actor has uploaded hundreds of malicious packages to the open source package repository npm. The packages are typed versions of Puppeteer and Bignum.js. Developers who need these packages for their products may end up accidentally downloading the wrong version because they all have the same name.
If used, the package will connect to a hidden server, retrieve the malicious payload from the second phase, and infect the developers’ computers. “The binary file sent to the machine is a wrapped Vercel package,” the researchers explained.
Hide the IP address
In addition, the attackers wanted to perform something else during the installation of the package, but because the file was not included in the package, the researchers could not analyze it. “An apparent mistake by the author of the malicious package,” they say.
What sets this campaign apart from other similar supply chain typosquatting campaigns is the lengths the crooks went to hide the servers they controlled.
“Out of necessity, malware authors have had to try to find new ways to hide their intentions and obfuscate remote servers under their control,” the researchers said. “This is once again a lasting reminder that supply chain attacks are alive and well.”
The IP address is not visible in the first phase code. Instead, the code first accesses an Ethereum smart contract, where the IP address is stored. This ultimately proved to be a double-edged sword, as the blockchain is permanent and immutable, allowing the researchers to observe all the IP addresses the crooks have ever used.
Since the targets are developers working with cryptocurrency, the goal was most likely to steal their seed sentences and gain access to their wallets.
Software developers, especially those working in the Web3 space, are often targeted by such attacks. Therefore, double checking the names of all downloaded packages is a must.
Via Ars Technica