Malicious Packages in npm, PyPI Highlight Supply Chain Threat – Source: securityboulevard.com

Threat groups continue to look to open source software repositories to launch supply-chain attacks, with cybersecurity vendor Phylum reporting about two instances this month involving npm and the Python Package Index (PyPI).

Attackers aim to get their malicious code into software that is then used by users of the application.

In the case of the npm repository, Phylum researchers found a series of malicious packages that appear to be coming from state-sponsored North Korean cybercriminals and are targeting software developers who may believe they are responding to job-seeking ads.

The researchers discovered a package named execution-time-async version 1.4.1 by a npm user called nino1234. The code in the package was similar to with an execution-time version 1.4.1, a Node.js utility that is used to measure execution time in code and has more than 27,000 weekly downloads.

This tactic of adding plausible sounding worlds to malicious package names is called “combosquatting” and is being increasingly used by bad actors as the popularity of typosquatting – which involves using deliberately misspellings of names – diminishes, according to the researchers.

In this case, the malicious package tries to pass off as a code profiler, but it contains malicious scripts for stealing cryptocurrency and credentials. In addition, the attack tries to hide the malicious code in a test file, likely assuming that few would bother looking for malware in test code, the researchers wrote in a report. It was downloaded 302 times between February 4 and February 25.

The malicious code reaches out to a remote servers to execute files, steals victims’ login credentials and passwords from a number of browsers like Google Chrome, Opera, and Brave, and downloads Python script that triggers downloads of other scripts that let the hackers control targets’ systems, steal other browser secrets, and other tasks.

Following the Trail

Within the obfuscated source code where inline comments – “/Users/ninoacuna/” – that led to the researchers searching GitHub for Nino Acuna, turning up a profile with that name and “binaryExDev” with the File-Uploader package. The day before the execution-time-async npm package was updated to version 1.4.2, the File-Uploader repository changed its host IP addresses to match the IP and port. There also were other similarities.

The investigation widened when Phylum’s automated systems detected similar packages – data-time-utils and login-time-utils – that were published to npm by a user named niacunap02. Then a npm user, ntekyz, published two more packages – mongodb-connection-utils and mongodb-execution-utils – that were almost identical to the other packages Phylum found.

The researchers looked at two GitHub accounts binaryExDev follows, leading them to another repository – mave-finance-org/auth-playground – which had been forked by more than a dozen developers, with some forks “indicating that perhaps these developers were led to believe that this repo was part of a coding challenge, or even a job interview.”

After repeated takedowns of the packages, the bad actors shifted them to other hosts. The link to North Korean threat groups came when Palo Alto Networks’ Unit 42 threat intelligence group alerted Phylum researchers that the obfuscated and malicious JavaScript they originally found coincided with BeaverTail code in npm and linked to a North Korean job-seeking campaign targeting developers.

Dormant Package Given New Life

Also this month, Phylum researchers found a package named Django-log-tracker on PyPI that was first published in April 2022 and had since been dormant until it was updated February 21. It’s likely that the PyPI account was compromised and in an update found this month, the bad actor removed most of the original content, leaving only an _init_.py and example.py file, both with identical and malicious code.

“There’s an undeniable transparency in the code’s intent,” the researchers wrote. “In eight simple lines, it downloads and executes an executable, deceptively named ‘Updater’ – a nomenclature we frequently observe in malicious files. The executable is retrieved from a hardcoded IP address, lying within a directory amusingly labeled ‘DONTTUCHTHIS.’ At this point, there’s no question that this is indeed malicious.”

Four vendors flagged this on VirusTotal as being dangerous.

They found heavily obfuscated JavaScript that turned out to be NovaSentinel, which they described as a “steal-everything-you-can-find malware,” including browser secrets, crypto wallets, Discord tokens, and Wi-Fi passwords. From there it tries to put itself into Chrome, Discord, Exodus, Mullvad, Atomic, and MailSpring.

Unusual Tool for a Supply-Chain Attack

Information stealers like NovaSentinel, which was first detected last year, aren’t new and are fairly low risk for bad actors that come with high rewards.

“What’s interesting about this particular case, however, is that the attack vector appeared to be an attempted supply-chain attack via a compromised PyPI account,” the researchers wrote. “If this had been a really popular package, any project with this package listed as a dependency without a version specified or a flexible version specified in their dependency file would have pulled the latest, malicious version of this package.”

They added that “this underscores, yet again, the implicit trust we, as developers, place in the open-source software ecosystem. Just because you’ve used a safe package yesterday doesn’t mean it will be tomorrow.”

Software supply-chain attacks have become a growing cybersecurity problem as the nature of development has evolved away from building applications from scratch to building them from multiple off-the-shelf components, including third-party APIs, open source code, and proprietary code from vendors. According to CrowdStrike, the average software project includes 203 dependencies.

“If a popular app includes one compromised dependency, EVERY BUSINESS that downloads from the vendor is compromised as well, so the number of victims can grow exponentially,” the cybersecurity vendor wrote. “Also, software is reused, so a vulnerability in one application can live on beyond the original software’s lifecycle.”