npm repository | Breaking Cybersecurity News | The Hacker News

A set of fake npm packages discovered on the Node.js repository has been found to share ties with North Korean state-sponsored actors, new findings from Phylum show. The packages are named execution-time-async, data-time-utils, login-time-utils, mongodb-connection-utils, and mongodb-execution-utils. One of the packages in question,  execution-time-async , masquerades as its legitimate counterpart  execution-time , a library with more than 27,000 weekly downloads. Execution-time is a Node.js utility used to measure execution time in code. It "actually installs several malicious scripts including a cryptocurrency and credential stealer," Phylum  said , describing the campaign as a software supply chain attack targeting developers. The package was  downloaded 302 times  since February 4, 2024, before being taken down. In an interesting twist, the threat actors made efforts to conceal the obfuscated malicious code in a test file, which is designed to fetch nex...

An unknown threat actor is leveraging malicious npm packages to target developers with an aim to steal source code and configuration files from victim machines, a sign of how threats lurk consistently in open-source repositories. "The threat actor behind this campaign has been linked to malicious activity dating back to 2021," software supply chain security firm Checkmarx  said  in a report shared with The Hacker News. "Since then, they have continuously published malicious packages." The latest report is a continuation of the  same campaign  that Phylum disclosed at the start of the month in which a number of npm modules were engineered to exfiltrate valuable information to a remote server. The packages, by design, are configured to execute immediately post-installation by means of a postinstall hook defined in the package.json file. It triggers the launch of preinstall.js, which spawns index.js to capture the system metadata as well as harvest source code and...

Cybersecurity researchers have discovered a new ongoing campaign aimed at the npm ecosystem that leverages a unique execution chain to deliver an unknown payload to targeted systems. "The packages in question seem to be published in pairs, each pair working in unison to fetch additional resources which are subsequently decoded and/or executed," software supply chain security firm Phylum  said  in a report released last week. To that end, the order in which the pair of packages are installed is paramount to pulling off a successful attack, as the first of the two modules is designed to store locally a token retrieved from a remote server. The campaign was first discovered on June 11, 2023. The second package subsequently passes this token as a parameter alongside the operating system type to an  HTTP GET request  to acquire a second script from the remote server. A successful execution returns a Base64-encoded string that is immediately executed but only if t...

A novel timing attack discovered against the npm's registry API can be exploited to potentially disclose private packages used by organizations, putting developers at risk of supply chain threats. "By creating a list of possible package names, threat actors can detect organizations'  scoped private packages  and then masquerade public packages, tricking employees and users into downloading them," Aqua Security researcher Yakir Kadkoda  said . The Scoped Confusion attack banks on analyzing the time it takes for the  npm API  (registry.npmjs[.]org) to return an HTTP 404 error message when querying for a private package, and measuring it against the response time for a non-existing module. "It takes on average less time to get a reply for a private package that does not exist compared to a private package that does," Kadkoda explained. The idea, ultimately, is to identify packages internally used by companies, which could then be used by threat actors to...

Multiple campaigns that distributed trojanized and typosquatted packages on the NPM open source repository have been identified as the work of a single threat actor dubbed LofyGang . Checkmarx said it discovered 199 rogue packages totaling thousands of installations, with the group operating for over a year with the goal of stealing credit card data as well as user accounts associated with Discord Nitro, gaming, and streaming services. "LofyGang operators are seen promoting their hacking tools in hacking forums, while some of the tools are shipped with a hidden backdoor," the software security company said in a report shared with The Hacker News prior to its publication. Various pieces of the attack puzzle have already been reported by  JFrog ,  Sonatype , and  Kaspersky  (which called it LofyLife), but the latest analysis pulls the various operations together under one organizational umbrella that Checkmarx is referring to as  LofyGang . Believed to be ...

A malicious NPM package has been found masquerading as the legitimate software library for Material Tailwind, once again indicating attempts on the part of threat actors to distribute malicious code in open source software repositories. Material Tailwind is a  CSS-based framework  advertised by its maintainers as an "easy to use components library for Tailwind CSS and Material Design." "The malicious Material Tailwind npm package, while posing as a helpful development tool, has an automatic post-install script," Karlo Zanki, security researcher at ReversingLabs,  said  in a report shared with The Hacker News. This script is engineered to download a password-protected ZIP archive file that contains a Windows executable capable of running PowerShell scripts. The now-removed rogue package, named  material-tailwindcss , has been downloaded 320 times to date, all of which occurred on or after September 15, 2022. In a tactic that's becoming increasingly common,...

Cloud-based repository hosting service GitHub on Friday shared additional details into the theft of its integration OAuth tokens last month, noting that the attacker was able to access internal NPM data and its customer information. "Using stolen OAuth user tokens originating from two third-party integrators, Heroku and Travis CI, the attacker was able to escalate access to NPM infrastructure," Greg Ose said , adding the attacker then managed to obtain a number of files - A database backup of skimdb.npmjs.com consisting of data as of April 7, 2021, including an archive of user information from 2015 and all private NPM package manifests and package metadata. The archive contained NPM usernames, password hashes, and email addresses for roughly 100,000 users. A set of CSV files encompassing an archive of all names and version numbers of published versions of all NPM private packages as of April 10, 2022, and  A "small subset" of private packages from two organiz...

A new large scale supply chain attack has been observed targeting Azure developers with no less than 218 malicious NPM packages with the goal of stealing personal identifiable information. "After manually inspecting some of these packages, it became apparent that this was a targeted attack against the entire  @azure NPM scope , by an attacker that employed an automatic script to create accounts and upload malicious packages that cover the entirety of that scope," JFrog researchers Andrey Polkovnychenko and Shachar Menashe  said  in a new report. The entire set of malicious packages was disclosed to the NPM maintainers roughly two days after they were published earlier this week, leading to their quick removal, but not before each of the packages were downloaded around 50 times on average. The attack refers to what's called typosquatting, which takes place when bad actors push rogue packages with names mimicking legitimate libraries to a public software registry such ...

Another batch of 25 malicious JavaScript libraries have made their way to the official NPM package registry with the goal of stealing Discord tokens and environment variables from compromised systems, more than two months after  17 similar packages  were taken down. The libraries in question leveraged typosquatting techniques and masqueraded as other legitimate packages such as colors.js, crypto-js, discord.js, marked, and  noblox.js , DevOps security firm JFrog said, attributing the packages as the work of "novice malware authors." The complete list of packages is below – node-colors-sync (Discord token stealer) color-self (Discord token stealer) color-self-2 (Discord token stealer) wafer-text (Environment variable stealer) wafer-countdown (Environment variable stealer) wafer-template (Environment variable stealer) wafer-darla (Environment variable stealer) lemaaa (Discord token stealer) adv-discord-utility (Discord token stealer) tools-for-discord (Disco...

A widely used third-party NodeJS module with nearly 2 million downloads a week was compromised after one of its open-source contributor gone rogue, who infected it with a malicious code that was programmed to steal funds stored in Bitcoin wallet apps. The Node.js library in question is "Event-Stream," a toolkit that makes it easy for developers to create and work with streams, a collection of data in Node.js — just like arrays or strings. The malicious code detected earlier this week was added to Event-Stream version 3.3.6, published on September 9 via NPM repository , and had since been downloaded by nearly 8 million application programmers. Event-Stream module for Node.js was originally created by Dominic Tarr, who maintained the Event-Stream library for a long time, but handed over the development and maintenance of the project several months ago to an unknown programmer, called "right9ctrl." Apparently, right9ctrl gained Dominic's trust by making...