Article Details
Scrape Timestamp (UTC): 2023-10-03 15:03:23.976
Source: https://thehackernews.com/2023/10/over-3-dozen-data-stealing-malicious.html
Original Article Text
Click to Toggle View
Over 3 Dozen Data-Stealing Malicious npm Packages Found Targeting Developers. Nearly three dozen counterfeit packages have been discovered in the npm package repository that are designed to exfiltrate sensitive data from developer systems, according to findings from Fortinet FortiGuard Labs. One set of packages – named @expue/webpack, @expue/core, @expue/vue3-renderer, @fixedwidthtable/fixedwidthtable, and @virtualsearchtable/virtualsearchtable – harbored an obfuscated JavaScript file that's capable of gathering valuable secrets. This includes Kubernetes configurations, SSH keys, and system metadata such as username, IP address, and hostname. The cybersecurity firm said it also discovered another collection of four modules, i.e., binarium-crm, career-service-client-0.1.6, hh-dep-monitoring, and orbitplate, which results in the unauthorized extraction of source code and configuration files. "The targeted files and directories may contain highly valuable intellectual property and sensitive information, such as various application and service credentials," security researchers Jin Lee and Jenna Wang said. "It then archives these files and directories and uploads the resulting archives to an FTP server." Some of the packages observed have also been found leveraging a Discord webhook to exfiltrate sensitive data, while a few others are engineered to automatically download and execute a potentially malicious executable file from a URL. In what's a novel twist, a rogue package named @cima/prism-utils relied on an install script to disable TLS certificate validation (NODE_TLS_REJECT_UNAUTHORIZED=0), potentially rendering connections vulnerable to adversary-in-the-middle (AitM) attacks. The cybersecurity company said it categorized the identified modules into nine different groups based on code similarities and functions, with a majority of them employing install scripts that run pre or post-install to carry out the data harvesting. "End users should watch for packages that employ suspicious install scripts and exercise caution," the researchers said.
Daily Brief Summary
Around three dozen counterfeit packages designed to extract sensitive data from developers' systems have been found in the npm package repository. The discovery was made by Fortinet FortiGuard Labs.
One set of packages, namely @expue/webpack, @expue/core, @expue/vue3-renderer, @fixedwidthtable/fixedwidthtable, @virtualsearchtable/virtualsearchtable, contains an obfuscated JavaScript file capable of collecting secrets such as Kubernetes configurations, SSH keys, and system metadata.
Another four modules discovered result in unauthorised extraction of the source code and configuration files which could hold intellectual property and sensitive credentials. This information is archived and uploaded to an FTP server.
Some packages have been seen to use a Discord webhook to extract sensitive data, while others download and execute a potentially harmful executable file from a URL.
A unique package identified, @cima/prism-utils, leaves connections vulnerable to adversary-in-the-middle (AitM) attacks by using an install script to disable the TLS certificate validation.
The company categorised the identified modules into nine different groups based on code similarities and functions. It recommends end-users to be careful with packages that use suspicious install scripts.