Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,522
- Points
- 113
Under the guise of trusted libraries, attackers try to attack software supply chains.
Sonatype cybersecurity researchers have discovered a batch of malicious packages in the npm registry designed to extract Kubernetes configurations and SSH keys from infected machines to a remote server.
Sonatype has reported 14 different npm packages that attempt to mimic JavaScript libraries and components, such as ESLint plugins and TypeScript SDK tools. However, after installation, many versions of packages run obfuscated code to collect and exfiltrate sensitive files from the target machine.
In addition to Kubernetes configuration and SSH keys, modules are also able to collect system metadata, such as user name, IP address, and hostname, which is transmitted to the app.threatest[.]com domain.
In general, by mimicking popular libraries, attackers can mislead developers and force them to install malicious packages, which threatens the entire software supply chain. Additional threats include the theft of cryptocurrency keys, the use of computer resources to mine cryptocurrencies, and the expansion of attacks on other operating systems, such as macOS. Unclear intentions of attackers add additional uncertainty and risk.
Earlier, Sonatype specialists discovered that the PyPI repository openly advertises an infostiler that can steal confidential data and send it to the attacker's Discord server.
In recent months, two banks have been targeted by attacks on the open source supply chain, marking the first such incidents of its kind. According to Checkmarx, during separate campaigns in February and April, attackers uploaded packages with malicious scripts to the open source software platform npm. The campaign was aimed at stealing login credentials for banking systems.
Earlier, Checkmarx researchers revealed a campaign in which cybercriminals found a way to inject their malicious code into npm packages without changing the source code . Hackers used AWS S3 buckets, which were abandoned by their owners, and replaced them with binary files necessary for the packages to work.
Sonatype cybersecurity researchers have discovered a batch of malicious packages in the npm registry designed to extract Kubernetes configurations and SSH keys from infected machines to a remote server.
Sonatype has reported 14 different npm packages that attempt to mimic JavaScript libraries and components, such as ESLint plugins and TypeScript SDK tools. However, after installation, many versions of packages run obfuscated code to collect and exfiltrate sensitive files from the target machine.
In addition to Kubernetes configuration and SSH keys, modules are also able to collect system metadata, such as user name, IP address, and hostname, which is transmitted to the app.threatest[.]com domain.
In general, by mimicking popular libraries, attackers can mislead developers and force them to install malicious packages, which threatens the entire software supply chain. Additional threats include the theft of cryptocurrency keys, the use of computer resources to mine cryptocurrencies, and the expansion of attacks on other operating systems, such as macOS. Unclear intentions of attackers add additional uncertainty and risk.
Earlier, Sonatype specialists discovered that the PyPI repository openly advertises an infostiler that can steal confidential data and send it to the attacker's Discord server.
In recent months, two banks have been targeted by attacks on the open source supply chain, marking the first such incidents of its kind. According to Checkmarx, during separate campaigns in February and April, attackers uploaded packages with malicious scripts to the open source software platform npm. The campaign was aimed at stealing login credentials for banking systems.
Earlier, Checkmarx researchers revealed a campaign in which cybercriminals found a way to inject their malicious code into npm packages without changing the source code . Hackers used AWS S3 buckets, which were abandoned by their owners, and replaced them with binary files necessary for the packages to work.
