A New Kind of Software Supply Chain Attack Targets Open Source Projects Reveals Attackers Can Gain Control of Expired Amazon S3 Buckets and Deliver Malicious Binaries Without Modifying the Modules themselves became.
“Malicious binaries steal user IDs, passwords, local machine environment variables, local hostnames and bring the stolen data to a hijacked bucket,” said Checkmarx researcher Guy Nachshon.
This attack was first observed in the case of an npm package called bignum. Until version 0.13.0, this package relied on an Amazon S3 bucket during installation to download a prebuilt binary version of the addon named node-pre-gyp.
According to a GitHub advisory published on May 24, 2023, “These binaries were published on an expired S3 bucket and were subsequently claimed by a malicious third party to This bucket currently serves binaries containing malware that exfiltrate data from users’ computers.”
An unknown attacker allegedly took advantage of an S3 bucket once active to deliver malware when an unsuspecting user downloaded the package in question.
“If a package points to a bucket as a source, that pointer will continue to exist after the bucket is deleted,” Nachshon explains. “This anomaly allowed an attacker to reroute pointers to a hijacked bucket.”
Reverse engineering of this malware sample revealed that it was able to steal user credentials and environment details and send that information to the same hijacked bucket.
Checkmarx said it discovered a large number of packages using abandoned S3 buckets, making them susceptible to new attack vectors. Rather, this development shows that threat actors are constantly looking for various ways to pollute the software supply chain.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
“This new development in the realm of subdomain hijacking serves as a wake-up call for developers and organizations,” said Nacshon. “Abandoned hosting his buckets and outdated subdomains are more than just forgotten relics, they can become powerful weapons of data theft and intrusion in the wrong hands.”
The development comes almost a week after Cyble discovered an estimated 160 malicious Python packages that were downloaded over 45,000 times and had the ability to extract login credentials and credit card details. I was.
