• Home
  • |
  • Blog
  • |
  • How To Protect Your Company From This npm Supply Chain Attack
How to Protect Your Company from this npm Supply Chain Attack

The security research team from JFrog recently disclosed an npm supply chain attack in which the Company revealed multiple malicious packages in the npm registry. The Company also claims that the malware found in this mpm registry is found to be more dangerous and sophisticated than its early detections. According to the report, this malware will act as a backdoor and allows the attacker to take total control over the infected machine. JFrog also added that the malware are not developed using publicly-available tools but developed in-house. Since the npm packages associated with this supply chain attack are found to be more dangerous, it is worth knowing how to protect your Company from this npm supply chain attack.

What Is NPM?

NPM is a package manager for JavaScript that helps developers share and reuse code. It includes a command-line interface (CLI) that can be used to install, uninstall, and update packages. NPM can also be used to create and publish new packages. NPM is short for Node Package Manager. It was originally created to support the development of Node.js, but it has since been extended to support other programming languages as well.

The npm CLI provides a number of commands that can be used to work with packages:

  1. npm install: This command installs a package from npm’s registry.
  2. npm uninstall: This command removes the package from your project.
  3. npm update: This command updates a package to the latest version.
  4. npm init: This command initializes a new npm project.
  5. npm publish: This command publishes a new package to npm’s registry.

NPM is an important tool for JavaScript developers and is widely used in the Node.js community. If you’re just getting started with Node.js, be sure to check out the npm documentation to learn more about how to use it.

Who Are The Primary Targets Of This New npm Supply Chain Attack?

JFrog published in its technical post that the attackers were apparently targeting a number of prominent companies, including private, public, and governmental companies based out of Germany.

  • Bertelsmann
  • Bosch
  • Stihl
  • DB Schenker

List Of Packages Used In This npm Supply Chain Attack:

Research says that the packages created by these four maintainers were being used in this supply chain attack. Please make a note of the name of these maintainers and remove the packages if you have downloaded them.

  • bertelsmannnpm
  • boschnodemodules
  • stihlnodemodules
  • dbschenkernpm

The vendor confirmed that all the packages were removed from the registry (except packages created by ‘stihlnodemodules’) at the time of writing this post. We urge you to validate the packages and remove them if you had downloaded them before it was removed.

How Does This Supply Chain Attack Work?

To know about the working of the supply chain attack, it is a must to know about the malware used in the supply chain attack.

The malware has two functional components:

  1. Dropper
  2. Payload

The dropper will exfiltrate the information like the victim’s username, hostname, and the content of the files “/etc/hosts” and “/etc/resolv.conf” to the malware’s server ‘www.pkgio.com‘. Upon the completion of the exfiltration process, the dropper will initiate the process of payload execution.

The payload is a malicious code that could be a backdoor, an HTTPS client, which registers itself on startup to a hardcoded C2 server and receives commands from it. The list of commands the payload receives from the C2 server are:

  • download – payload will download a file from the C2 server
  • upload – payload will upload a file to the C2 server, at endpoint “callbackupload”
  • eval – evaluate arbitrary Javascript code
  • exec – execute a local binary
  • delete – terminate the process
  • register – Initial registration of the payload on the C2 server

Please visit the post for the derailed technical report.

How To Protect Your Company From This npm Supply Chain Attack?

There are two actions that you can take on immediate effect:

  • The first action to take to protect your Company from this npm supply chain attack is to remove all the packages created by bertelsmannnpm, boschnodemodules, stihlnodemodules, and dbschenkernpm maintainers.
  • The second action is to block the DNS, IP address, emails, and any IOCs those are associated with this npm supply chain attack. Please see the list of IOCs in the next section.
  • Check the live or retro network communications between the Company’s assets and the IOCs. Take the captured assets as suspicious and conduct security audits on them.
  • Try to locate the dropper or payload files across the assets on the network, isolate the compromised assets and reimage them.

IOCs:

User Agentnpm/7.24.2
node/v12.22.7 Linux
x64/false
HTTPS paths*/callbackupload
*/callbacknode
*/register
*/updateinfosnodejs
https://www.pkgio.com/
DNS*.pkgio[.]com
cdn[.]game-note[.]com
*.game-note[.]com
IP82[.]196[.]7[.]23
82[.]196[.]15[.]238
e-mails[email protected]
[email protected]
[email protected]
[email protected]

We hope this post will help you know how to protect your company from this npm supply chain attack. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.