Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,511
- Points
- 113
Pumped-up eloquence does its job: naive developers voluntarily let criminals into their devices.
As it recently became known, the NPM package registry has once again become a target for intruders. Their goal is to lure developers into a clever trap and force them to install malicious modules.
Phylum, a software supply chain security company, said in a recent report that the attackers ' activity shows similar behavior to the previous wave of attacks identified in June and then linked to hackers from North Korea.
In the period from August 9 to August 12 of this year, 9 packages with the following names were uploaded to the NPM repository:
"Due to the complex nature of the attack and the small number of affected packages, we suspect that this is another narrowly targeted attack. Probably using an aspect of social engineering to get specific people to install these packages, " Phylum said.
The attack chain starts with the files "package.json" and " index.js" that run a hidden process that transmits device data to a remote hacker server. The malware then scans incoming instructions every 45 seconds, and immediately executes them as soon as they arrive.
According to the researchers, attackers monitor the GUIDs of infected machines and selectively send additional payloads to systems of particular interest to them.
Experts also believe that the attack uses social engineering methods. Attackers are probably sending malicious packages to specific developers, trying to convince them that they need to be installed. And to increase trust, domain name spoofing and other tricks are used. This allows you to deceive the victim's vigilance and force her to launch the malware.
Experts remind that vulnerabilities in packages can be used not only for attacks on individual developers, but also for penetration into corporate networks of companies. Such attacks can potentially cause serious business damage, lead to data leaks, extortion, and other negative consequences.
Thorough verification of third-party packages, reserving names, and separating them into internal and external modules - these measures will help reduce risks and prevent malware infection. Cybersecurity requires constant vigilance and a responsible approach on the part of each participant in the development process.
As it recently became known, the NPM package registry has once again become a target for intruders. Their goal is to lure developers into a clever trap and force them to install malicious modules.
Phylum, a software supply chain security company, said in a recent report that the attackers ' activity shows similar behavior to the previous wave of attacks identified in June and then linked to hackers from North Korea.
In the period from August 9 to August 12 of this year, 9 packages with the following names were uploaded to the NPM repository:
- ws-paso-jssdk;
- pingan-vue-floating;
- srm-front-util;
- cloud-room-video;
- progress-player;
- ynf-core-loader;
- ynf-core-renderer;
- ynf-dx-scripts;
- ynf-dx-webpack-plugins.
"Due to the complex nature of the attack and the small number of affected packages, we suspect that this is another narrowly targeted attack. Probably using an aspect of social engineering to get specific people to install these packages, " Phylum said.
The attack chain starts with the files "package.json" and " index.js" that run a hidden process that transmits device data to a remote hacker server. The malware then scans incoming instructions every 45 seconds, and immediately executes them as soon as they arrive.
According to the researchers, attackers monitor the GUIDs of infected machines and selectively send additional payloads to systems of particular interest to them.
Experts also believe that the attack uses social engineering methods. Attackers are probably sending malicious packages to specific developers, trying to convince them that they need to be installed. And to increase trust, domain name spoofing and other tricks are used. This allows you to deceive the victim's vigilance and force her to launch the malware.
Experts remind that vulnerabilities in packages can be used not only for attacks on individual developers, but also for penetration into corporate networks of companies. Such attacks can potentially cause serious business damage, lead to data leaks, extortion, and other negative consequences.
Thorough verification of third-party packages, reserving names, and separating them into internal and external modules - these measures will help reduce risks and prevent malware infection. Cybersecurity requires constant vigilance and a responsible approach on the part of each participant in the development process.
