Cybersecurity researchers have flagged a fresh software supply chain attack targeting the npm registry that has affected more than 40 packages that belong to multiple maintainers.
“The compromised versions include a function (NpmModule.updatePackage) that downloads a package tarball, modifies package.json, injects a local script (bundle.js), repacks the archive, and republishes it, enabling automatic trojanization of downstream packages,” supply chain security company Socket said.
The end goal of the campaign is to search developer machines for secrets using TruffleHog’s credential scanner and transmit them to an external server under the attacker’s control. The attack is capable of targeting both Windows and Linux systems.
The following packages have been identified as impacted by the incident –
- [email protected]
- @ctrl/[email protected]
- @ctrl/[email protected]
- @ctrl/[email protected]
- @ctrl/[email protected]
- @ctrl/[email protected]
- @ctrl/[email protected]
- @ctrl/[email protected]
- @ctrl/[email protected]
- @ctrl/[email protected]
- @ctrl/[email protected]
- @ctrl/[email protected], @4.1.2
- @ctrl/[email protected]
- @ctrl/[email protected]
- @ctrl/[email protected]
- [email protected]
- [email protected], 0.2.1
- [email protected], 5.11.1
- @nativescript-community/[email protected]
- @nativescript-community/sentry 4.6.43
- @nativescript-community/[email protected]
- @nativescript-community/[email protected]
- @nativescript-community/[email protected]
- @nativescript-community/[email protected]
- @nativescript-community/[email protected]
- @nativescript-community/[email protected]
- @nativescript-community/[email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
The malicious JavaScript code (“bundle.js”) injected into each of the trojanized package is designed to download and run TruffleHog, a legitimate secret scanning tool, using it to scan the host for tokens and cloud credentials, such as GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY.
“It validates npm tokens with the whoami endpoint, and it interacts with GitHub APIs when a token is available,” Socket said. “It also attempts cloud metadata discovery that can leak short-lived credentials inside cloud build agents.”
The script then abuses the developer’s credentials (i.e., the GitHub personal access tokens) to create a GitHub Actions workflow in .github/workflows, and exfiltrates the collected data to a webhook[.]site endpoint.
Developers are advised to audit their environments and rotate npm tokens and other exposed secrets if the aforementioned packages are present with publishing credentials.
“The workflow that it writes to…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
