Self-Propagating Supply Chain Worm Targets npm Packages to Steal Developer Credentials
Cybersecurity researchers have recently identified a new wave of supply chain attacks involving a self-propagating worm that infiltrates npm packages to exfiltrate developer credentials. This sophisticated malware, dubbed CanisterSprawl, leverages stolen npm tokens to spread across the software development ecosystem, posing significant risks to developers and organizations alike.
Discovery and Affected Packages
The malicious activity was detected by security firms Socket and StepSecurity, who have been closely monitoring the campaign. The worm has compromised several npm packages, including:
– @automagik/genie (versions 4.260421.33 to 4.260421.40)
– @fairwords/loopback-connector-es (versions 1.4.3 to 1.4.4)
– @fairwords/websocket (versions 1.0.38 to 1.0.39)
– @openwebconcept/design-tokens (versions 1.0.1 to 1.0.3)
– @openwebconcept/theme-owc (versions 1.0.1 to 1.0.3)
– pgserve (versions 1.1.11 to 1.1.14)
These packages have been manipulated to include malicious code that activates upon installation, initiating the credential theft process.
Mechanism of Attack
The worm operates by executing a post-installation script that harvests sensitive information from the developer’s environment. The data targeted includes:
– npm configuration files (.npmrc)
– SSH keys and configurations
– Git credentials
– Network credentials (.netrc)
– Cloud service credentials for AWS, Google Cloud, and Microsoft Azure
– Kubernetes and Docker configurations
– Infrastructure-as-code tool credentials (Terraform, Pulumi, Vault)
– Database password files
– Local environment files (.env)
– Shell command history
Additionally, the malware attempts to extract credentials from Chromium-based web browsers and data from cryptocurrency wallet extensions. The collected information is then transmitted to remote servers, including an HTTPS webhook at telemetry.api-monitor[.]com and an Internet Computer Protocol (ICP) canister at cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0[.]io.
Propagation and Persistence
What sets CanisterSprawl apart is its self-propagating nature. After exfiltrating credentials, the worm uses the stolen npm tokens to publish new, malicious versions of the compromised packages. These versions contain the same post-installation script, enabling the malware to spread further as unsuspecting developers install the infected packages.
Moreover, the worm exhibits cross-platform capabilities by incorporating propagation logic for the Python Package Index (PyPI). It generates a Python payload designed to execute upon Python startup and, if the necessary credentials are available, uploads malicious Python packages using Twine. This functionality allows the worm to extend its reach beyond the npm ecosystem, affecting Python developers as well.
Connection to Previous Attacks
The use of an ICP canister for data exfiltration is reminiscent of tactics employed by the threat group known as TeamPCP in their CanisterWorm campaign. By utilizing decentralized infrastructure like ICP canisters, attackers can create resilient command-and-control channels that are difficult to disrupt.
In a related incident, the Python package xinference (versions 2.6.0 to 2.6.2) was found to contain a Base64-encoded payload that downloads a second-stage module responsible for harvesting a wide array of credentials and secrets from the infected host. The decoded payload included the comment # hacked by teampcp, indicating a possible link to the same threat actors.
Implications for the Developer Community
The emergence of self-propagating worms like CanisterSprawl underscores the escalating threats within the open-source software supply chain. Developers and organizations must exercise heightened vigilance when incorporating third-party packages into their projects.
Recommendations for Mitigation
To protect against such supply chain attacks, consider the following measures:
1. Verify Package Integrity: Before adding new packages or updating existing ones, verify their authenticity and integrity.
2. Monitor for Suspicious Activity: Implement monitoring tools to detect unusual behaviors or unauthorized access within your development environment.
3. Limit Token Exposure: Restrict the use of npm tokens and other credentials to the minimum necessary scope and duration.
4. Regularly Rotate Credentials: Periodically change access tokens, passwords, and other sensitive credentials to minimize the risk of unauthorized access.
5. Educate Development Teams: Provide training on the risks associated with supply chain attacks and best practices for secure coding and package management.
By adopting these strategies, developers can reduce the likelihood of falling victim to self-propagating worms and other supply chain threats.
