Cybersecurity researchers have found several malicious packages in the NPM registry, and these packages have been targeting big German companies to execute supply chain attacks.
“Compared with most malware found in the NPM repository, this payload seems particularly dangerous: a highly-sophisticated, obfuscated piece of malware that acts as a backdoor and allows the attacker to take total control over the infected machine,” researchers from JFrog said in a new report.
The DevOps company said that evidence suggests that either a top-notch attacker or a “very aggressive” penetration test is behind the attack.
Four maintainers— bertelsmannnpm, boschnodemodules, stihlnodemodules, and dbschenkernpm— have been associated with all the rogue packages; most of the packages have been taken down from the repository. The finding points out that the attackers are trying to copy legitimate firms like Bertelsmann, Bosch, Stihl, and DB Schenker.
Also read,
Some of the package names are distinct, which makes it likely that the adversary managed to trace the libraries hosted in the companies’ internal repositories to carry a dependency confusion attack.
The findings further develop the report from Snyk, which documented the offending packages, “gxm-reference-web-auth-server.” The report observes that an unknown company that has the same package in its private registry has been targeted by the attackers.
“The attacker(s) likely had information about the existence of such a package in the company’s private registry,” the Snyk security research team said.
Calling the implant an “in-house development,” JFrog observed that the malware contains two components, a dropper that sends information about the infected machine to a remote telemetry server before decrypting and executing a JavaScript backdoor.
The backdoor, while lacking a persistence mechanism, is designed to receive and execute commands sent from a hard-coded command-and-control server, evaluate arbitrary JavaScript code, and upload files back to the server.
“The attack is highly targeted and relies on difficult-to-get insider information,” the researchers said. But on the other hand, “the usernames created in the NPM registry did not try to hide the targeted company.”
Reference
https://thehackernews.com/2022/05/malicious-npm-packages-target-german.html
