Cybersecurity researchers have flagged a fresh software supply chain attack targeting the npm registry that has affected more than 40 packages that belong to multiple maintainers.
“The compromised versions include a function (NpmModule.updatePackage) that downloads a package tarball, modifies package.json, injects a local script (bundle.js), repacks the archive, and republishes it, enabling automatic trojanization of downstream packages,” supply chain security company Socket said[1].
The end goal of the campaign is to search developer machines for secrets using TruffleHog’s credential scanner[2] and transmit them to an external server under the attacker’s control. The attack is capable of targeting both Windows and Linux systems.
The following packages have been identified as impacted by the incident –
- angulartics2@14.1.2
- @ctrl/deluge@7.2.2
- @ctrl/golang-template@1.4.3
- @ctrl/magnet-link@4.0.4
- @ctrl/ngx-codemirror@7.0.2
- @ctrl/ngx-csv@6.0.2
- @ctrl/ngx-emoji-mart@9.2.2
- @ctrl/ngx-rightclick@4.0.2
- @ctrl/qbittorrent@9.7.2
- @ctrl/react-adsense@2.0.2
- @ctrl/shared-torrent@6.3.2
- @ctrl/tinycolor@4.1.1, @4.1.2
- @ctrl/torrent-file@4.1.2
- @ctrl/transmission@7.3.1
- @ctrl/ts-base32@4.0.2
- encounter-playground@0.0.5
- json-rules-engine-simplified@0.2.4, 0.2.1
- koa2-swagger-ui@5.11.2, 5.11.1
- @nativescript-community/gesturehandler@2.0.35
- @nativescript-community/sentry 4.6.43
- @nativescript-community/text@1.6.13
- @nativescript-community/ui-collectionview@6.0.6
- @nativescript-community/ui-drawer@0.1.30
- @nativescript-community/ui-image@4.5.6
- @nativescript-community/ui-material-bottomsheet@7.2.72
- @nativescript-community/ui-material-core@7.2.76
- @nativescript-community/ui-material-core-tabs@7.2.76
- ngx-color@10.0.2
- ngx-toastr@19.0.2
- ngx-trend@8.0.1
- react-complaint-image@0.0.35
- react-jsonschema-form-conditionals@0.3.21
- react-jsonschema-form-extras@1.0.4
- rxnt-authentication@0.0.6
- rxnt-healthchecks-nestjs@1.0.5
- rxnt-kue@1.0.7
- swc-plugin-component-annotate@1.9.2
- ts-gaussian@3.0.6
The malicious JavaScript code (“bundle.js”) injected into each of the trojanized package is designed to download and run TruffleHog, a legitimate secret scanning tool, using it to scan the host for tokens and cloud credentials, such as GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY.
“It validates npm tokens with the whoami endpoint, and it interacts with GitHub APIs when a token is available,” Socket said. “It also attempts cloud metadata discovery that can leak short-lived credentials inside cloud build agents.”
The script then abuses the developer’s credentials (i.e., the GitHub personal access tokens) to create a GitHub Actions workflow in .github/workflows, and exfiltrates the collected data to a webhook[.]site endpoint.
Developers are advised to audit their environments and rotate npm tokens and other exposed secrets if the aforementioned packages are present with publishing credentials.
“The workflow that it writes to repositories persists beyond the initial host,” the company noted. “Once committed, any future CI run can trigger the exfiltration step from within the pipeline where sensitive secrets and artifacts are available by design.”
StepSecurity, which also shared details[3] of the campaign, said the attack demonstrates a concerning evolution in supply chain threats, given that the malware includes a self-propagating mechanism enabling automatic infection of downstream packages. This behavior creates a “cascading compromise across the ecosystem.”
crates.io Phishing Campaign
The disclosure comes as the Rust Security Response Working Group is warning of phishing emails from a typosquatted domain, rustfoundation[.]dev, targeting crates.io users.
The messages, which originate from security@rustfoundation[.]dev, warn recipients of an alleged compromise of the crates.io infrastructure and instruct them to click on an embedded link to rotate their login information so as to “ensure that the attacker cannot modify any packages published by you.”
The rogue link, github.rustfoundation[.]dev, mimics a GitHub login page, indicating a clear attempt on the part of the attackers to capture victims’ credentials. The phishing page is currently inaccessible.
“These emails are malicious and come from a domain name not controlled by the Rust Foundation (nor the Rust Project), seemingly with the purpose of stealing your GitHub credentials,” the Rust Security Response WG said[4]. “We have no evidence of a compromise of the crates.io infrastructure.”
The Rust team also said they are taking steps to monitor any suspicious activity on crates.io, in addition to getting the phishing domain taken down.
References
- ^ said (socket.dev)
- ^ credential scanner (github.com)
- ^ shared details (www.stepsecurity.io)
- ^ said (blog.rust-lang.org)