npm registry attacked by secret-stealing worm

[harlan4096]

A new large-scale attack on a popular JavaScript code registry has hit around 150 packages. The automatic propagation of the threat makes it especially dangerous — developers need to react ASAP.

On the evening of September 15, a new attack against the most popular JavaScript component — npm — began.  A number of packages — some with millions of weekly downloads — were infected with malicious code that steals tokens and authentication keys. Its most interesting feature is that it is able to spread automatically — infecting other nmp packages. Among the infected packages is the popular @ctrl/tinycolor. According to Aikido Security, almost 150 packages have been compromised — including Crowdstrike packages.

Propagation methodology

The method of the first infection and “patient zero” are currently unknown. Since the attack pattern is very similar to the recent s1ngularity incident, it may have been phishing as well. But the further chain of infection is as follows:

• Malicious code is added to compromised packages in the form of a post-installation script saved in the bundle.js file. When the victim installs the infected package, the script runs. Unlike the previous incident, the script is cross-platform and works in both *nix and Windows environments.
  
• The script downloads a platform-appropriate version of TruffleHog, a legitimate secret-finding tool. TruffleHog finds high-entropy strings in local file systems and available repositories. These are cryptographic keys, API tokens, and other such information.
  
• In addition to searching through TruffleHog, the script validates useful tokens by analyzing environment variables such as GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY. It then checks if they are valid by querying the npm whoami and GitHub user API-endpoints.
  
• The script then compromises npm packages to which the attacked user has access with publishing rights. To do this, it downloads the current version of the infected package from npm, increments the subversion by 1, adds a link to the postinstall hook, and writes its copy to the bundle.js file. Then the trojanized “new version” of the package is published to npm.
  
• Then it marks the victim’s repositories as public ones, which is sometimes a separate, more important leak.
  

Continue Reading...

[harlan4096]

Massive npm infection: the Shai-Hulud worm and patient zero

[Anil Neevansh]

Scary stuff supply chain attacks like this really show how exposed developers can be. Token leaks are no joke.
On a related note, I came across how some governments are centralizing access too, like Rajasthan in India with their SSO ID portal (https://sso-id.net/). Different field, but same idea once access is compromised, everything’s at risk.
What do you all think is the best defense tighter token scopes or better monitoring?