Supply Chain Attack

Cybersecurity researchers have discovered a number of malicious packages in the NPM registry specifically targeting a number of prominent media, logistics, and industrial firms based in Germany to carry out supply chain attacks.

"Compared with most malware found in the NPM repository, this payload seems particularly dangerous: a highly-sophisticated, obfuscated piece of malware that acts as a backdoor and allows the attacker to take total control over the infected machine," researchers from JFrog said in a new report.

The DevOps company said that evidence points to it being either the work of a sophisticated threat actor or a "very aggressive" penetration test.


All the rogue packages, most of which have since been removed from the repository, have been traced to four "maintainers" - bertelsmannnpm, boschnodemodules, stihlnodemodules, and dbschenkernpm — indicating an attempt to impersonate legitimate firms like Bertelsmann, Bosch, Stihl, and DB Schenker.

Some of the package names are said to be very specific, raising the possibility that the adversary managed to identify the libraries hosted in the companies' internal repositories with the goal of staging a dependency confusion attack.

Supply Chain Attack

The findings build on a report from Snyk late last month that detailed one of the offending packages, "gxm-reference-web-auth-server," noting that the malware is targeting an unknown company that has the same package in their private registry.

"The attacker(s) likely had information about the existence of such a package in the company's private registry," the Snyk security research team said.

ReversingLabs, which independently corroborated the hacks, said that the rogue modules uploaded to NPM featured elevated version numbers than their private counterparts to force the modules onto target environments — a clear indicator of a dependency confusion attack.

"The targeted private packages for the transportation and logistics firm had versions 0.5.69 and 4.0.48, while the malicious, public versions were identically named, but used versions 0.5.70 and 4.0.49," the cybersecurity firm explained.

Calling the implant an "in-house development," JFrog pointed out that the malware harbors two components, a dropper that sends information about the infected machine to a remote telemetry server before decrypting and executing a JavaScript backdoor.

The backdoor, while lacking a persistence mechanism, is designed to receive and execute commands sent from a hard-coded command-and-control server, evaluate arbitrary JavaScript code, and upload files back to the server.

"The attack is highly targeted and relies on difficult-to-get insider information," the researchers said. But on the other hand, "the usernames created in the NPM registry did not try to hide the targeted company."

The findings come as Israeli cybersecurity firm Check Point disclosed a monthslong information stealer campaign targeting the German auto industry with commodity malware such as AZORult, BitRAT, and Raccoon.

Update: A German penetration testing company named Code White has owned up to uploading the malicious packages in question, adding it was an attempt to "mimic realistic threat actors for dedicated clients."

The dependency confusion attacks were engineered by an intern at the company who was tasked with "research(ing) dependency confusion as part of our continuous attack simulations for clients," it acknowledged in a set of tweets.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.