Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,511
- Points
- 113
DevSecOps Phylum researchers discovered seven malicious packages in Crates, the official package repository for Rust, the second incident since Rust Security Response and the crates team reported the existence of the rustdecimal malicious crate in May 2022.
Researchers say the new finds may indicate signs of preparations for a wider campaign. All seven packages were initially published without content, and then received additional updates with suspicious code over the course of several days.
The functionality of the code was aimed at secretly collecting information about infected platforms by sending data to the Telegram channel. All identified packages used typos (names similar to more popular libraries) to trick developers into accidentally implementing them into their projects.
Relying on the practice of monitoring similar campaigns targeting other package repositories, Phylum expects the attacker to send updates with more malicious content in the future after identifying systems worthy of infection.
Phylum has not yet provided any details about the attacker, but noted their concerns about the possible activity of North Korean APTs that seek to compromise developers and use their machines to invade large companies or to attack supply chains.
After all, just at the end of July, GitHub published a warning that North Korean hackers were posing as software engineers and asking developers from well-known companies to work on joint projects. Many of these projects contained malware or imported malicious npm (JavaScript) packages.
As Rust becomes more and more popular among software companies, we should expect similar attention to the ecosystem from cybercriminals.
Since Crates uses the same "weak" methods for sending packages as npm and PyPI, the Rust ecosystem has a good potential for exploitation.
Researchers say the new finds may indicate signs of preparations for a wider campaign. All seven packages were initially published without content, and then received additional updates with suspicious code over the course of several days.
The functionality of the code was aimed at secretly collecting information about infected platforms by sending data to the Telegram channel. All identified packages used typos (names similar to more popular libraries) to trick developers into accidentally implementing them into their projects.
Relying on the practice of monitoring similar campaigns targeting other package repositories, Phylum expects the attacker to send updates with more malicious content in the future after identifying systems worthy of infection.
Phylum has not yet provided any details about the attacker, but noted their concerns about the possible activity of North Korean APTs that seek to compromise developers and use their machines to invade large companies or to attack supply chains.
After all, just at the end of July, GitHub published a warning that North Korean hackers were posing as software engineers and asking developers from well-known companies to work on joint projects. Many of these projects contained malware or imported malicious npm (JavaScript) packages.
As Rust becomes more and more popular among software companies, we should expect similar attention to the ecosystem from cybercriminals.
Since Crates uses the same "weak" methods for sending packages as npm and PyPI, the Rust ecosystem has a good potential for exploitation.
