Hackers planted malicious code in open source software packages with more than 2 billion weekly updates in what is likely to be the world’s biggest supply-chain attack ever.
The attack, which compromised nearly two dozen packages hosted on the npm repository, came to public notice on Monday in socialmedia posts. Around the same time, Josh Junon, a maintainer or co-maintainer of the affected packages, said he had been “pwned” after falling for an email that claimed his account on the platform would be closed unless he logged in to a site and updated his two-factor authentication credentials.
Defeating 2FA the easy way
“Sorry everyone, I should have paid more attention,” Junon, who uses the moniker Qix, wrote. “Not like me; have had a stressful week. Will work to get this cleaned up.”
The unknown attackers behind the account compromise wasted no time capitalizing on it. Within an hour’s time, dozens of open source packages Junon oversees had received updates that added malicious code for transferring cryptocurrency payments to attacker-controlled wallets. With more than 280 lines of code, the addition worked by monitoring infected systems for cryptocurrency transactions and changing the addresses of wallets receiving payments to those controlled by the attacker.
The packages that were compromised, which at last count numbered 20, included some of the most foundational code driving the JavaScript ecosystem. They are used outright and also have thousands of dependents, meaning other npm packages that don’t work unless they are also installed. (npm is the official code repository for JavaScript files.)
“The overlap with such high-profile projects significantly increases the blast radius of this incident,” researchers from security firm Socket said. “By compromising Qix, the attackers gained the ability to push malicious versions of packages that are indirectly depended on by countless applications, libraries, and frameworks.”
The researchers added: “Given the scope and the selection of packages impacted, this appears to be a targeted attack designed to maximize reach across the ecosystem.”
The email message Junon fell for came from an email address at support.npmjs.help, a domain created three days ago to mimic the official npmjs.com used by npm. It said Junon’s account would be closed unless he updated information related to his 2FA—which requires users to present a physical security key or supply a one-time passcode provided by an authenticator app in addition to a password when logging in.
The –no-preserve-root flag is specifically designed to override safety protections that would normally prevent deletion of the root directory.
The postinstall script that includes a Windows-equivalent destructive command was:
rm /s /q
Socket published a separate report Wednesday on yet more supply-chain attacks, one targeting npm users and another targeting users of PyPI. As of Wednesday, the four malicious packages—three published to npm and the fourth on PyPI—collectively had been downloaded more than 56,000 times. Socket said it was working to get them removed.
When installed, the packages “covertly integrate surveillance functionality into the developer’s environment, enabling keylogging, screen capture, fingerprinting, webcam access, and credential theft,” Socket researchers wrote. They added that the malware monitored and captured user activity and transmitted it to attacker-controlled infrastructure. Socket used the term surveillance malware to emphasize the covert observation and data exfiltration tactics “in the context of malicious dependencies.”
Last Friday, Socket reported the third attack. This one compromised an account on npm and used the access to plant malicious code inside three packages available on the site. The compromise occurred after the attackers successfully obtained a credential token that the developer used to authenticate to the site.
The attackers obtained the credential through a targeted phishing attack Socket had disclosed hours earlier. The email instructed the recipient to log in through a URL on npnjs.com. The site is a typosquatting spoof of the official npmjs.com domain. To make the attack more convincing, the phishing URL contained a token field that mimicked tokens npm uses for authentication. The phishing URL was in the format of https://npnjs.com/login?token=xxxxxx where the xxxxxx represented the token.
A phishing email targeting npm account holders.
Credit: Socket
A phishing email targeting npm account holders. Credit: Socket
Also compromised was an npm package known as ‘is.’ It receives roughly 2.8 million downloads weekly.
Potential for widespread damage
Supply-chain attacks like the ones Socket has flagged have the potential to cause widespread damage. Many packages available in repositories are dependencies, meaning the dependencies must be incorporated into downstream packages for those packages to work. In many developer flows, new dependency versions are downloaded and incorporated into the downstream packages automatically.
The packages flagged in the three attacks are:
@toptal/picasso-tailwind
@toptal/picasso-charts
@toptal/picasso-shared
@toptal/picasso-provider
@toptal/picasso-select
@toptal/picasso-quote
@toptal/picasso-forms
@xene/core
@toptal/picasso-utils
@toptal/picasso-typography.
is version 3.3.1, 5.0.0
got-fetch version 5.1.11, 5.1.12
Eslint-config-prettier, versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7
Eslint-plugin-prettier, versions 4.2.2 and 4.2.3
Synckit, version 0.11.9
@pkgr/core, version 0.2.8
Napi-postinstall, version 0.3.1
Developers who work with any of the packages targeted should ensure none of the malicious versions have been installed or incorporated into their wares. Developers working with open source packages should:
Monitor repository visibility changes in search of suspicious or unusual publishing of packages
Review package.json lifecycle scripts before installing dependencies
Use automated security scanning in continuous integration and continuous delivery pipelines
Regularly rotate authentication tokens
Use multifactor authentication to safeguard repository accounts
Additionally, repositories that haven’t yet made MFA mandatory should do so in the near future.
Screenshot showing a graph tracking mining activity. Credit: Checkmarx
But wait, there’s more
On Friday, Datadog revealed that MUT-1244 employed additional means for installing its second-stage malware. One was through a collection of at least 49 malicious entries posted to GitHub that contained Trojanized proof-of-concept exploits for security vulnerabilities. These packages help malicious and benevolent security personnel better understand the extent of vulnerabilities, including how they can be exploited or patched in real-life environments.
A second major vector for spreading @0xengine/xmlrpc was through phishing emails. Datadog discovered MUT-1244 had left a phishing template, accompanied by 2,758 email addresses scraped from arXiv, a site frequented by professional and academic researchers.
A phishing email used in the campaign. Credit: Datadog
The email, directed to people who develop or research software for high-performance computing, encouraged them to install a CPU microcode update available that would significantly improve performance. Datadog later determined that the emails had been sent from October 5 through October 21.
Additional vectors discovered by Datadog. Credit: Datadog
Further adding to the impression of legitimacy, several of the malicious packages are automatically included in legitimate sources, such as Feedly Threat Intelligence and Vulnmon. These sites included the malicious packages in proof-of-concept repositories for the vulnerabilities the packages claimed to exploit.
“This increases their look of legitimacy and the likelihood that someone will run them,” Datadog said.
The attackers’ use of @0xengine/xmlrpc allowed them to steal some 390,000 credentials from infected machines. Datadog has determined the credentials were for use in logging into administrative accounts for websites that run the WordPress content management system.
Taken together, the many facets of the campaign—its longevity, its precision, the professional quality of the backdoor, and its multiple infection vectors—indicate that MUT-1244 was a skilled and determined threat actor. The group did, however, err by leaving the phishing email template and addresses in a publicly available account.
The ultimate motives of the attackers remain unclear. If the goal were to mine cryptocurrency, there would likely be better populations than security personnel to target. And if the objective was targeting researchers—as other recently discovered campaigns have done—it’s unclear why MUT-1244 would also employ cryptocurrency mining, an activity that’s often easy to detect.
Reports from both Checkmarx and Datadog include indicators people can use to check if they’ve been targeted.
A software maker serving more than 10,000 courtrooms throughout the world hosted an application update containing a hidden backdoor that maintained persistent communication with a malicious website, researchers reported Thursday, in the latest episode of a supply-chain attack.
The software, known as the JAVS Viewer 8, is a component of the JAVS Suite 8, an application package courtrooms use to record, play back, and manage audio and video from proceedings. Its maker, Louisville, Kentucky-based Justice AV Solutions, says its products are used in more than 10,000 courtrooms throughout the US and 11 other countries. The company has been in business for 35 years.
JAVS Viewer users at high risk
Researchers from security firm Rapid7 reported that a version of the JAVS Viewer 8 available for download on javs.com contained a backdoor that gave an unknown threat actor persistent access to infected devices. The malicious download, planted inside an executable file that installs the JAVS Viewer version 8.3.7, was available no later than April 1, when a post on X (formerly Twitter) reported it. It’s unclear when the backdoored version was removed from the company’s download page. JAVS representatives didn’t immediately respond to questions sent by email.
“Users who have version 8.3.7 of the JAVS Viewer executable installed are at high risk and should take immediate action,” Rapid7 researchers Ipek Solak, Thomas Elkins, Evan McCann, Matthew Smith, Jake McMahon, Tyler McGraw, Ryan Emmons, Stephen Fewer, and John Fenninger wrote. “This version contains a backdoored installer that allows attackers to gain full control of affected systems.”
The installer file was titled JAVS Viewer Setup 8.3.7.250-1.exe. When executed, it copied the binary file fffmpeg.exe to the file path C:Program Files (x86)JAVSViewer 8. To bypass security warnings, the installer was digitally signed, but with a signature issued to an entity called “Vanguard Tech Limited” rather than to “Justice AV Solutions Inc.,” the signing entity used to authenticate legitimate JAVS software.
fffmpeg.exe, in turn, used Windows Sockets and WinHTTP to establish communications with a command-and-control server. Once successfully connected, fffmpeg.exe sent the server passwords harvested from browsers and data about the compromised host, including hostname, operating system details, processor architecture, program working directory, and the user name.
The researchers said fffmpeg.exe also downloaded the file chrome_installer.exe from the IP address 45.120.177.178. chrome_installer.exe went on to execute a binary and several Python scripts that were responsible for stealing the passwords saved in browsers. fffmpeg.exe is associated with a known malware family called GateDoor/Rustdoor. The exe file was already flagged by 30 endpoint protection engines.
Enlarge/ A screenshot from VirusTotal showing detections from 30 endpoint protection engines.
The researchers warned that the process of disinfecting infected devices will require care. They wrote:
To remediate this issue, affected users should:
Reimage any endpoints where JAVS Viewer 8.3.7 was installed. Simply uninstalling the software is insufficient, as attackers may have implanted additional backdoors or malware. Re-imaging provides a clean slate.
Reset credentials for any accounts that were logged into affected endpoints. This includes local accounts on the endpoint itself as well as any remote accounts accessed during the period when JAVS Viewer 8.3.7 was installed. Attackers may have stolen credentials from compromised systems.
Reset credentials used in web browsers on affected endpoints. Browser sessions may have been hijacked to steal cookies, stored passwords, or other sensitive information.
Install the latest version of JAVS Viewer (8.3.8 or higher) after re-imaging affected systems. The new version does not contain the backdoor present in 8.3.7.
Completely re-imaging affected endpoints and resetting associated credentials is critical to ensure attackers have not persisted through backdoors or stolen credentials. All organizations running JAVS Viewer 8.3.7 should take these steps immediately to address the compromise.
The Rapid7 post included a statement from JAVS that confirmed that the installer for version 8.3.7 of the JAVS viewer was malicious.
“We pulled all versions of Viewer 8.3.7 from the JAVS website, reset all passwords, and conducted a full internal audit of all JAVS systems,” the statement read. “We confirmed all currently available files on the JAVS.com website are genuine and malware-free. We further verified that no JAVS Source code, certificates, systems, or other software releases were compromised in this incident.”
The statement didn’t explain how the installer became available for download on its site. It also didn’t say if the company retained an outside firm to investigate.
The incident is the latest example of a supply-chain attack, a technique that tampers with a legitimate service or piece of software with the aim of infecting all downstream users. These sorts of attacks are usually carried out by first hacking the provider of the service or software. There’s no sure way to prevent falling victim to supply-chain attacks, but one potentially useful measure is to vet a file using VirusTotal before executing it. That advice would have served JAVS users well.
