Cybersecurity researchers have found several malicious packages in the NPM registry, and these packages have been targeting big German companies to execute supply chain attacks.
“Compared with most malware found in the NPM repository, this payload seems particularly dangerous: a highly-sophisticated, obfuscated piece of malware that acts as a backdoor and allows the attacker to take total control over the infected machine,” researchers from JFrog said in a new report.
The DevOps company said that evidence suggests that either a top-notch attacker or a “very aggressive” penetration test is behind the attack.
Four maintainers— bertelsmannnpm, boschnodemodules, stihlnodemodules, and dbschenkernpm— have been associated with all the rogue packages; most of the packages have been taken down from the repository. The finding points out that the attackers are trying to copy legitimate firms like Bertelsmann, Bosch, Stihl, and DB Schenker.
Some of the package names are distinct, which makes it likely that the adversary managed to trace the libraries hosted in the companies’ internal repositories to carry a dependency confusion attack.
The findings further develop the report from Snyk, which documented the offending packages, “gxm-reference-web-auth-server.” The report observes that an unknown company that has the same package in its private registry has been targeted by the attackers.
“The attacker(s) likely had information about the existence of such a package in the company’s private registry,” the Snyk security research team said.
“The attack is highly targeted and relies on difficult-to-get insider information,” the researchers said. But on the other hand, “the usernames created in the NPM registry did not try to hide the targeted company.”