In recent months, two banks have been the target of attacks on the open source supply chain, the first of its kind.
In separate campaigns in February and April, attackers uploaded packages of malicious scripts to the npm open source software platform, according to Checkmarx analysts.
During one of the attacks, a hacker placed several infected packages with scripts inside that identified the victim's operating system. Depending on whether it was Windows, Linux, or MacOS, the script decoded the other encrypted files in the package. These files were then used to download malicious code to the target computer.
The attacker who downloaded the packages created a fake LinkedIn* page where he posed as an employee of the target bank. Because of this, Checkmarx researchers thought the bank might be doing penetration testing, but the bank said the npm packages uploaded were not related to the organization. The hacker also created individual Command and Control (C2) servers for each target.
In another incident, an attacker injected malicious code into an online banking login page. The payload showed that the cybercriminal had identified a unique element ID in the HTML code of the login page and developed his code to capture a specific login form element, stealthily intercepting and exfiltrating the login data.
The malicious packages were removed after they were discovered by researchers, but Checkmarx experts expect "a steady trend of attacks on the banking sector software supply chain."
In separate campaigns in February and April, attackers uploaded packages of malicious scripts to the npm open source software platform, according to Checkmarx analysts.
During one of the attacks, a hacker placed several infected packages with scripts inside that identified the victim's operating system. Depending on whether it was Windows, Linux, or MacOS, the script decoded the other encrypted files in the package. These files were then used to download malicious code to the target computer.
The attacker who downloaded the packages created a fake LinkedIn* page where he posed as an employee of the target bank. Because of this, Checkmarx researchers thought the bank might be doing penetration testing, but the bank said the npm packages uploaded were not related to the organization. The hacker also created individual Command and Control (C2) servers for each target.
In another incident, an attacker injected malicious code into an online banking login page. The payload showed that the cybercriminal had identified a unique element ID in the HTML code of the login page and developed his code to capture a specific login form element, stealthily intercepting and exfiltrating the login data.
The malicious packages were removed after they were discovered by researchers, but Checkmarx experts expect "a steady trend of attacks on the banking sector software supply chain."
