The security research team from JFrog recently disclosed an npm supply chain attack in which the Company revealed multiple malicious packages in the npm registry. The Company also claims that the malware found in this mpm registry is found to be more dangerous and sophisticated than its early detections. According to the report, this malware will act as a backdoor and allows the attacker to take total control over the infected machine. JFrog also added that the malware are not developed using publicly-available tools but developed in-house. Since the npm packages associated with this supply chain attack are found to be more dangerous, it is worth knowing how to protect your Company from this npm supply chain attack.
Table of Contents
What Is NPM?
The npm CLI provides a number of commands that can be used to work with packages:
- npm install: This command installs a package from npm’s registry.
- npm uninstall: This command removes the package from your project.
- npm update: This command updates a package to the latest version.
- npm init: This command initializes a new npm project.
- npm publish: This command publishes a new package to npm’s registry.
Who Are The Primary Targets Of This New npm Supply Chain Attack?
JFrog published in its technical post that the attackers were apparently targeting a number of prominent companies, including private, public, and governmental companies based out of Germany.
- DB Schenker
List Of Packages Used In This npm Supply Chain Attack:
Research says that the packages created by these four maintainers were being used in this supply chain attack. Please make a note of the name of these maintainers and remove the packages if you have downloaded them.
The vendor confirmed that all the packages were removed from the registry (except packages created by ‘stihlnodemodules’) at the time of writing this post. We urge you to validate the packages and remove them if you had downloaded them before it was removed.
How Does This Supply Chain Attack Work?
To know about the working of the supply chain attack, it is a must to know about the malware used in the supply chain attack.
The malware has two functional components:
The dropper will exfiltrate the information like the victim’s username, hostname, and the content of the files “/etc/hosts” and “/etc/resolv.conf” to the malware’s server ‘www.pkgio.com‘. Upon the completion of the exfiltration process, the dropper will initiate the process of payload execution.
The payload is a malicious code that could be a backdoor, an HTTPS client, which registers itself on startup to a hardcoded C2 server and receives commands from it. The list of commands the payload receives from the C2 server are:
- download – payload will download a file from the C2 server
- upload – payload will upload a file to the C2 server, at endpoint “callbackupload”
- exec – execute a local binary
- delete – terminate the process
- register – Initial registration of the payload on the C2 server
Please visit the post for the derailed technical report.
How To Protect Your Company From This npm Supply Chain Attack?
There are two actions that you can take on immediate effect:
- The first action to take to protect your Company from this npm supply chain attack is to remove all the packages created by bertelsmannnpm, boschnodemodules, stihlnodemodules, and dbschenkernpm maintainers.
- The second action is to block the DNS, IP address, emails, and any IOCs those are associated with this npm supply chain attack. Please see the list of IOCs in the next section.
- Check the live or retro network communications between the Company’s assets and the IOCs. Take the captured assets as suspicious and conduct security audits on them.
- Try to locate the dropper or payload files across the assets on the network, isolate the compromised assets and reimage them.
We hope this post will help you know how to protect your company from this npm supply chain attack. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.