Threat Insight

Supplychain Attacks Targeting Popular Code Packages

Cybersecurity researchers have alerted to a new supply chain attack. A threat actor has conducted a spear phishing campaign that has been found to send email messages impersonating npm in order to trick project maintainers into clicking on a typosquatted link (“npnjs[.]com,” as opposed to “npmjs[.]com”) that harvested their credentials.

  • Insight

The captured tokens were then used to publish malicious versions of the packages directly to the registry without any source code commits or pull requests on their respective GitHub repositories.

The following projects were all affected by this campaign:

  • eslint-config-prettier (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7)
  • eslint-plugin-prettier (versions 4.2.2 and 4.2.3)
  • synckit (version 0.11.9)
  • @pkgr/core (version 0.2.8)
  • napi-postinstall (version 0.3.1)
  • got-fetch (versions 5.1.11 and 5.1.12)
  • is (versions 3.3.1 and 5.0.0)

In each case the malicious packages led to infection by a malware codenamed Scavenger Stealer that is wholly written in JavaScript, meaning it can run on Windows, Linux, and macOS machines. The malicious module captures system information and environment variables, and exfiltrate the details over a WebSocket connection.

Another similar attack was recently revealed where unknown threat actors managed to compromise Toptal’s GitHub organization account and leveraged that access to publish 10 malicious packages to the npm registry.

The packages contained code to exfiltrate GitHub authentication tokens and destroy victim systems, Socket said in a report published last week. In addition, 73 repositories associated with the organization were made public.

The list of affected Toptal packages is below:

  • @toptal/picasso-tailwind
  • @toptal/picasso-charts
  • @toptal/picasso-shared
  • @toptal/picasso-provider
  • @toptal/picasso-select
  • @toptal/picasso-quote
  • @toptal/picasso-forms
  • @xene/core
  • @toptal/picasso-utils
  • @toptal/picasso-typograph

It’s not known at this moment if there is any connection between the two incidents.

Recommendations

These incidents are more examples of how threat actors are increasingly targeting software developers to intriduce malicious software. If anyone in your organization has downloaded the above mentioned packages, it is highly recommended that it is investigated to ensure no malware is present.

It is also important to maintain a dialogue between cybersecurity and IT developers in your organization. Informed and aware personnel and clear policies are key factors in defending against supply chain attacks like this.

To minimize the risk of supply chain attacks from code packages, you must know what software you’re using. Leverage software composition analysis and software bills of materials to inventory your third-party software use.

For sensitive projects, consider introducing a “quarantine” of packages that aren’t immediately needed. The packages should still be reasonably up to date so they can receive security fixes, but integration can often be delayed by a few days.

Follow the principle of least privilege and use separate accounts for development work and privileges admin work. Use dedicated workstations, Privileged Admin Workstations (PAWWs), for all privileged, administrative, and developer access.

Implement one or more multiple Server Admin groups to ensure that someone with one Server Admin account can’t jump around to all servers and deploy ransomware. IT developers are usually entrusted with some of the highest privileges and protecting admin identities is the core of cybersecurity.

References

[1] https://socket.dev/blog/npm-phishing-email-targets-developers-with-typosquatted-domain
[2] https://socket.dev/blog/toptal-s-github-organization-hijacked-10-malicious-packages-published