A successful phishing attack against a developer has resulted in one of the largest supply chain compromises to date, adding malicious code to JavaScript packages with around 2.7 billion weekly downloads.
Sample npmjs.help phishing message
Marsup
Developers reported on GitHub that they had been receiving very legitimate looking phishing emails from “[email protected]” asking them to update their two-factor authentication (2FA) credentials.
The npm acronym stands for node package manager, a registry that acts as a massive database with reusable code, containing over 2 million items.
In the current incident, the attacker-controlled domain npmjs.help was registered just three days ago, and unfortunately, one developer, Josh “qix” Junon, fell for the phishing message and lost control of his account.
The successful phishing attack on Junon resulted in at least 18 very popular npm packages being compromised, with around 2.7 billion downloads a week.
Security vendor Aikido analysed the malicious code and said it “would be executed on the client of a website, which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user.”
After the compromise was discovered, package clean-up is now taking place, but it appears other developers are currently being targeted as well by the unknown threat actor.
The large-scale compromise follows another successful attack on the popular Nx package and plugins for it at the end of August.
That attack, named s1ngularity, was caused by a vulnerable workflow being added that allowed executable code to be injected into a pull request title.
Artificial intelligence command line tools were abused for local file system scans in the attack, npm security vendor Socket said.
Thousands of corporate secrets were leaked and published on GitHub, in the s1ngularity repository, from over 1700 users.
Source link
