Ethical Hacking News
A malicious npm library has been discovered to steal sensitive data and deploy a crypto miner on infected systems, highlighting the importance of constant vigilance in software supply chain security. The attack, which has remained active for over a year, was detected by researchers at Checkmarx, who identified the package as @0xengine/xmlrpc. The malicious code was introduced in version 1.3.4 and harvested valuable information such as SSH keys, bash history, system metadata, and environment variables every 12 hours. The attack distribution methods include direct npm installation and a hidden dependency in a legitimate-looking repository.
A sophisticated software supply chain attack has been secretly exploiting the npm package registry for over a year.A malicious package named @0xengine/xmlrpc was published on October 2, 2023, and strategically introduced in version 1.3.4 to harvest sensitive data from infected systems.The attack also employed a hidden dependency in a legitimate-looking GitHub project repository named yawpp to distribute malware.The malware collected system information, established persistence through systemd, and deployed the XMRig cryptocurrency miner.The attack's most significant consequence is the mining of Monero on compromised systems, with 68 infected systems found to mine cryptocurrency.Developers should prioritize security testing and stay informed about emerging threats to protect themselves against software supply chain attacks.
A recent discovery by researchers at Checkmarx has shed light on a sophisticated software supply chain attack that has been secretly exploiting the npm package registry for over a year. The malicious package, named @0xengine/xmlrpc, was originally published as a JavaScript-based XML-RPC server and client for Node.js on October 2, 2023, and has since become a harbinger of danger for unsuspecting developers.
According to Checkmarx, the malicious code was strategically introduced in version 1.3.4 just one day after the package's initial publication. This deliberate introduction marked the beginning of an elaborate scheme to harvest sensitive data from infected systems, which would then be exfiltrated via services such as Dropbox and file.io. The attack's reach extended beyond direct npm installation, as it also employed a hidden dependency in a legitimate-looking GitHub project repository named yawpp.
The yawpp project purportedly served as a tool designed to programmatically create posts on the WordPress platform. However, its "package.json" file listed the latest version of @0xengine/xmlrpc as a dependency, thereby causing the malicious npm package to be automatically downloaded and installed when users attempted to set up the yawpp tool on their systems. It is unclear whether the developer of the tool deliberately added this package as a dependency, but it serves as another effective malware distribution method that exploits the trust users place in package dependencies.
Once installed, the malware was designed to collect system information, establish persistence on the host through systemd, and deploy the XMRig cryptocurrency miner. The attack's most significant consequence is the mining of Monero, with as many as 68 compromised systems having been found to actively mine cryptocurrency through an attacker's Monero wallet.
Furthermore, the malware was equipped with sophisticated logic that allowed it to constantly monitor the list of running processes to check for the presence of commands like top, iostat, sar, glances, dstat, nmon, vmstat, and ps. If such commands were detected, all mining-related processes would be terminated, and if user activity was present, mining operations would be suspended.
Checkmarx researchers have cautioned that a package's longevity and consistent maintenance history do not guarantee its safety. Rather, the software supply chain requires constant vigilance – both during initial vetting and throughout a package's lifecycle. The discovery of this malicious npm library serves as a stark reminder of the need for developers to remain vigilant and to perform thorough security audits on their dependencies.
The attack cluster, dubbed MUT-8694 by Checkmarx researchers, has been found to overlap with another campaign documented by Socket earlier this month, which aimed to infect Roblox users with the same malware. The use of numerous packages and involvement of several malicious users suggests that MUT-8694 is persistent in its attempts to compromise developers.
Datadog Security Labs has also uncovered an ongoing malicious campaign targeting Windows users, which uses counterfeit packages uploaded to both npm and the Python Package Index (PyPI) repositories with the end goal of deploying open-source stealer malware known as Blank-Grabber and Skuld Stealer. The libraries used in this campaign attempted to pass off as legitimate packages through the use of typosquatting techniques.
In light of these discoveries, it is clear that software supply chain security has become an increasingly complex and ever-evolving landscape. As malicious actors continue to exploit vulnerabilities and push the boundaries of what is considered acceptable, it is crucial that developers prioritize security testing and stay informed about emerging threats.
The @0xengine/xmlrpc package serves as a cautionary tale for the importance of software supply chain security, highlighting the need for constant vigilance and thorough security audits. As researchers continue to uncover new malicious packages and attack vectors, it is essential that developers remain vigilant and take proactive steps to protect themselves against emerging threats.
In conclusion, the recent discovery of the @0xengine/xmlrpc package highlights the importance of software supply chain security and serves as a stark reminder of the need for constant vigilance. As malicious actors continue to exploit vulnerabilities and push the boundaries of what is considered acceptable, it is crucial that developers prioritize security testing and stay informed about emerging threats.
Related Information:
https://thehackernews.com/2024/11/xmlrpc-npm-library-turns-malicious.html
Published: Thu Nov 28 05:24:14 2024 by llama3.2 3B Q4_K_M
