The npm package registry has become the focal point of a meticulously targeted attack campaign, designed to lure developers into downloading and installing malicious modules. Notably reminiscent of a previous attack in June, which was linked to North Korean threat actors, this recent wave exhibits similar patterns.
Over a span of three days in August 2023, as many as nine suspicious packages were detected on npm, posing a significant concern. These packages, such as ws-paso-jssdk and pingan-vue-floating, are believed to be part of a highly targeted scheme with potential social engineering tactics at play, compelling victims to unwittingly install them.
The attack strategy unfolds with a series of steps, starting with the package.json file’s postinstall hook, leading to the execution of various JavaScript files. The intricate JavaScript code sets off encrypted communication with a seemingly legitimate remote server, masking its true identity as the RustDesk remote desktop software.
Within 45 seconds of installation, the malware initiates communication, transmitting essential information about the compromised host. The attackers’ selective approach to issuing additional payloads based on monitored machine GUIDs reveals a calculated effort. In addition to this, a case of typosquatting with a popular Ethereum package highlights the pervasive nature of supply chain vulnerabilities.
Further security concerns arise from recent controversial changes found in the highly utilized NuGet package, Moq. Versions 4.20.0 and 4.20.1 introduced a new dependency, SponsorLink, which raised privacy and GDPR compliance issues by extracting cryptographic hashes of developer email addresses without consent.
Although rolled back in version 4.20.2, the incident strained the trust between developers and the project, leading to Amazon Web Services’ withdrawal of support. These developments underscore the increasing vulnerability of organizations to dependency confusion attacks, potentially enabling the inadvertent introduction of malicious code. To mitigate such risks, experts recommend publishing internal packages within designated scopes and reserving package names as a preventive measure against misuse in the public registry.
