A recent attack campaign has targeted the npm package registry [1], with the intention of tricking developers into downloading malicious modules [1] [2] [3]. This campaign bears similarities to a previous attack wave attributed to North Korean threat actors [3].
Description
Between August 9 and 12, 2023 [1] [2], nine packages were uploaded to npm as part of this attack. The attackers utilized a postinstall hook in the package.json file to execute an index.js file [1] [2], which then initiated a daemon process that communicated with a remote server [2]. Through this process, the attackers monitored machine GUIDs and selectively sent additional payloads to specific machines [1] [2].
In addition, a typosquat version of a popular Ethereum package on npm was discovered [1] [2]. This version made an HTTP request to a Chinese server [1], raising concerns about its legitimacy.
Furthermore, the widely used NuGet package Moq faced criticism for introducing a new dependency that extracted developer email addresses without consent [1]. This raised concerns about compliance with GDPR regulations.
Conclusion
These incidents highlight the vulnerability of organizations to supply chain attacks [1]. It is crucial to implement mitigations such as publishing internal packages under organization scopes and reserving internal package names in the public registry as placeholders [2]. These measures can help protect against similar attacks in the future and ensure compliance with data protection regulations.
References
[1] https://thehackernews.com/2023/08/north-korean-hackers-suspected-in-new.html
[2] https://www.redpacketsecurity.com/north-korean-hackers-suspected-in-new-wave-of-malicious-npm-packages/
[3] https://gixtools.net/2023/08/north-korean-hackers-suspected-in-new-wave-of-malicious-npm-packages/