Table of Contents
The security research team from JFrog recently disclosed an npm supply chain attack in which the Company revealed multiple malicious packages in the npm registry. The Company also claims that the malware found in this mpm registry is found to be more dangerous and sophisticated than its early detections. According to the report, this malware will act as a backdoor and allows the attacker to take total control over the infected machine. JFrog also added that the malware are not developed using publicly-available tools but developed in-house. Since the npm packages associated with this supply chain attack are found to be more dangerous, it is worth knowing how to protect your Company from this npm supply chain attack.
What Is NPM?
NPM is a package manager for JavaScript that helps developers share and reuse code. It includes a command-line interface (CLI) that can be used to install, uninstall, and update packages. NPM can also be used to create and publish new packages. NPM is short for Node Package Manager. It was originally created to support the development of Node.js, but it has since been extended to support other programming languages as well.
The npm CLI provides a number of commands that can be used to work with packages:
npm install: This command installs a package from npm’s registry.
npm uninstall: This command removes the package from your project.
npm update: This command updates a package to the latest version.
npm init: This command initializes a new npm project.
npm publish: This command publishes a new package to npm’s registry.
NPM is an important tool for JavaScript developers and is widely used in the Node.js community. If you’re just getting started with Node.js, be sure to check out the npm documentation to learn more about how to use it.
Who Are The Primary Targets Of This New npm Supply Chain Attack?
JFrog published in its technical post that the attackers were apparently targeting a number of prominent companies, including private, public, and governmental companies based out of Germany.
Bertelsmann
Bosch
Stihl
DB Schenker
List Of Packages Used In This npm Supply Chain Attack:
Research says that the packages created by these four maintainers were being used in this supply chain attack. Please make a note of the name of these maintainers and remove the packages if you have downloaded them.
bertelsmannnpm
boschnodemodules
stihlnodemodules
dbschenkernpm
The vendor confirmed that all the packages were removed from the registry (except packages created by ‘stihlnodemodules’) at the time of writing this post. We urge you to validate the packages and remove them if you had downloaded them before it was removed.
How Does This Supply Chain Attack Work?
To know about the working of the supply chain attack, it is a must to know about the malware used in the supply chain attack.
The malware has two functional components:
Dropper
Payload
The dropper will exfiltrate the information like the victim’s username, hostname, and the content of the files “/etc/hosts” and “/etc/resolv.conf” to the malware’s server ‘www.pkgio.com‘. Upon the completion of the exfiltration process, the dropper will initiate the process of payload execution.
The payload is a malicious code that could be a backdoor, an HTTPS client, which registers itself on startup to a hardcoded C2 server and receives commands from it. The list of commands the payload receives from the C2 server are:
download – payload will download a file from the C2 server
upload – payload will upload a file to the C2 server, at endpoint “callbackupload”
eval – evaluate arbitrary Javascript code
exec – execute a local binary
delete – terminate the process
register – Initial registration of the payload on the C2 server
Please visit the post for the derailed technical report.
How To Protect Your Company From This npm Supply Chain Attack?
There are two actions that you can take on immediate effect:
The first action to take to protect your Company from this npm supply chain attack is to remove all the packages created by bertelsmannnpm, boschnodemodules, stihlnodemodules, and dbschenkernpm maintainers.
The second action is to block the DNS, IP address, emails, and any IOCs those are associated with this npm supply chain attack. Please see the list of IOCs in the next section.
Check the live or retro network communications between the Company’s assets and the IOCs. Take the captured assets as suspicious and conduct security audits on them.
Try to locate the dropper or payload files across the assets on the network, isolate the compromised assets and reimage them.
IOCs:
| User Agent | npm/7.24.2 node/v12.22.7 Linux x64/false |
| HTTPS paths | */callbackupload */callbacknode */register */updateinfosnodejs https://www.pkgio.com/ |
| DNS | *.pkgio[.]com cdn[.]game-note[.]com *.game-note[.]com |
| IP | 82[.]196[.]7[.]23 82[.]196[.]15[.]238 |
| e-mails | bertelsmannnpm@protonmail.com boschnodemodules@protonmail.com dbschenkernpm@protonmail.com stihlnodemodules@protonmail.com |
We hope this post will help you know how to protect your company from this npm supply chain attack. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- April 18, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 18, 2024
