Cybersecurity researchers have discovered a new ongoing campaign targeting the npm ecosystem that utilizes a unique execution chain to deliver unknown payloads to targeted systems.
“The packages in question appear to be published in pairs, with each pair working together to obtain additional resources before being decoded or executed,” software supply chain security firm Phylum said in a report last week. Stated.
Therefore, the order in which the package pairs are installed is most important for a successful attack, as the first of the two modules is designed to locally store the token obtained from the remote server. This campaign was first spotted on his June 11th, 2023.
The second package then passes this token along with the operating system type as a parameter to an HTTP GET request to retrieve the second script from the remote server. A successful execution returns a Base64-encoded string, but only if the string is longer than 100 characters.
Phylum says the endpoint has so far returned the string “bm8gaGlzdG9yeSBhdmFpbGFibGU=”, which decodes as “No history available”, indicating that the attack is still in progress or only at certain times. Clarified that I meant it was designed to return a payload.
Another hypothesis about this behavior is that it relies on the IP address (or location for that matter) to which the request from the first package is sent when generating the token.
The identity of the attackers behind this operation is unknown at this time, but it has all the hallmarks of a “fairly” sophisticated supply chain threat considering the amount of time the adversary took to carry out the attack. , while also taking steps to dynamically execute the following attacks: Use the -stage payload to avoid detection.
“It’s important that each package in the pair runs in the correct order and on the same machine, consecutively, to ensure successful operation,” Phylum said. “This carefully orchestrated attack serves as a stark reminder of the ever-evolving complexity of modern threat actors in the open source ecosystem.”
This disclosure identifies six malicious packages (break-rcl, breakscolors, brokerscolors2, brokerscolors3, brokersrcl, and trexcolors) that Sonatype uploaded on the Python Package Index (PyPI) repository by a single account named break. It was done in response to the discovery of the set.
“These packages target the Windows operating system and are identical in terms of versioning,” said security researcher and journalist Ax Sharma. “When installed, these packages simply download and run a Trojan hosted on Discord’s servers.”
Sonatype also discovered a package called libiobe that can target both Windows and Linux operating systems. On machines running Windows, this package provides an information stealer, but on Linux it is configured to profile the system and extract that information to his Telegram endpoint.
“It’s hard to ascertain who will end up running a package with such a name, or who exactly it’s targeting,” Sharma said. “While these packages may not use new payloads or tactics or have clear targets, we continue to see malicious attacks targeting open source software registries such as PyPI and npm. It is proof that
