Ethical Hacking News
A malicious software supply chain attack has been uncovered on the npm package registry, compromising thousands of systems worldwide with a crypto miner that steals data. Despite its innocuous appearance, the @0xengine/xmlrpc package was found to harbor functionality to harvest valuable information and deploy XMRig cryptocurrency miners.
Malicious software supply chain attack discovered, compromising thousands of systems worldwide. A JavaScript-based XML-RPC server and client package was published on npm with malicious code introduced in version 1.3.4. The attack uses multiple vectors, including direct npm installation and hidden dependencies in legitimate repositories. Attack harvests sensitive data and deploys crypto miners, exfiltrating information via Dropbox and file.io. Effective exploitation of package dependencies, with 68 systems actively mining cryptocurrency. Malware also monitors running processes to check for mining-related commands, suspend operations if user activity is detected.
In a disturbing turn of events, cybersecurity researchers have uncovered a malicious software supply chain attack that has been active for over a year, compromising thousands of systems worldwide. The attack began with an innocuous JavaScript-based XML-RPC server and client package called @0xengine/xmlrpc, which was published on the npm (Node Package Manager) registry on October 2, 2023.
Initially, the package had been downloaded only 1,790 times, but its malicious code, introduced in version 1.3.4 a day later, has since been responsible for stealing sensitive data and deploying crypto miners on infected systems. The attack achieved distribution through multiple vectors, including direct npm installation and as a hidden dependency in a legitimate-looking repository.
According to Checkmarx, the security firm that discovered the package, the malicious code was designed to harvest valuable information such as SSH keys, bash history, system metadata, and environment variables every 12 hours, and exfiltrate it via services like Dropbox and file.io. The attack also employed a second approach, involving a GitHub project repository named yawpp (short for "Yet Another WordPress Poster") that lists the latest version of @0xengine/xmlrpc as a dependency.
This approach effectively exploits the trust users place in package dependencies, causing the malicious npm package to be automatically downloaded and installed when users attempt to set up the yawpp tool on their systems. It is currently not clear if the developer of the tool deliberately added this package as a dependency, but it is evident that this method of malware distribution is effective.
Once installed, the malware is designed to collect system information, establish persistence on the host through systemd, and deploy the XMRig cryptocurrency miner. As many as 68 compromised systems have been found to actively mine cryptocurrency through the attacker's Monero wallet. The malware is also capable of constantly monitoring the list of running processes to check for the presence of commands like top, iostat, sar, glances, dstat, nmon, vmstat, and ps, and terminate all mining-related processes if found.
Furthermore, it is equipped with the ability to suspend mining operations if user activity is detected. This level of sophistication highlights the threat posed by this attack and underscores the importance of software supply chain security.
The discovery of this malicious package serves as a stark reminder that a package's longevity and consistent maintenance history do not guarantee its safety. It also emphasizes the need for constant vigilance in both initial vetting and throughout a package's lifecycle.
This is not an isolated incident, but rather part of a larger malicious campaign targeting Windows users, which uses counterfeit packages uploaded to both npm and the Python Package Index (PyPI) repositories with the end goal of deploying open-source stealer malware known as Blank-Grabber and Skuld Stealer. As many as 18 and 39 phony unique packages have been uploaded to these repositories.
The use of numerous packages and involvement of several malicious users suggests that MUT-8694, the threat cluster tracked by Checkmarx, is persistent in its attempts to compromise developers. This campaign overlaps with one documented by Socket earlier this month as aiming to infect Roblox users with the same malware.
In response to these attacks, cybersecurity researchers are urging developers and organizations to implement strict software dependency checks and regular security audits to mitigate the risks associated with npm packages.
Furthermore, they recommend that developers update their dependencies regularly and use reputable third-party security scanning tools to identify potential vulnerabilities in their codebases. The use of secure coding practices, such as input validation and secure communication protocols, can also help prevent attacks like this one.
Related Information:
https://thehackernews.com/2024/11/xmlrpc-npm-library-turns-malicious.html
https://news.backbox.org/2024/11/28/xmlrpc-npm-library-turns-malicious-steals-data-deploys-crypto-miner/
Published: Fri Nov 29 02:39:03 2024 by llama3.2 3B Q4_K_M
