Cybersecurity researchers have discovered a fresh software supply chain attack campaign that has compromised various npm packages associated with the @antv ecosystem as part of the ongoing Mini Shai-Hulud attack wave.
“The attack affects packages tied to the npm maintainer account atool, including echarts-for-react, a widely used React wrapper for Apache ECharts with roughly 1.1 million weekly downloads,” Socket said.
The list of affected packages include @antv packages such as @antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/s2, @antv/f2, @antv/g, @antv/g2plot, @antv/graphin, and @antv/data-set, as well as related packages outside the @antv namespace, including echarts-for-react, timeago.js, size-sensor, canvas-nest.js, and others.
The application security company said the tradecraft matches Mini Shai-Hulud, where a compromised maintainer account is leveraged to push out trojanized versions in quick succession.
The development comes as the supply chain attack campaign continues to slither its way through the software supply chain, worming through different open-source registries rapidly and infecting hundreds of software packages by embedding credential-stealing code into popular development tools.
“The potential blast radius is significant because the affected publishing account is connected to widely used packages across data visualization, graphing, mapping, charting, and React component ecosystems,” Socket said. “Even if only a subset of those packages received malicious updates, the popularity of the package ecosystem creates meaningful downstream exposure for organizations that automatically pull new dependency versions.”
The attacker is said to have published 639 malicious versions across 323 unique packages, including 558 versions across 279 unique @antv packages. The stealer payload harvests more than 20 credential types, Amazon Web Services, Google Cloud, Microsoft Azure, GitHub, npm, SSH, Kubernetes, Vault, Stripe, database connection strings, and attempts Docker container escape via the host socket. The stealer is identical to the Mini Shai-Hulud payload used in the SAP compromise.
The collected data is eventually serialized, compressed, encrypted, and exfiltrated to the domain (“t.m-kosche[.]com:443”). As a fallback mechanism, the malware leverages the stolen GitHub token to create a public repository under the victim’s account and commit the data in a JSON file.
The repositories feature the description “niagA oG eW ereH :duluH-iahS,” which reverses to “Shai-Hulud: Here We Go Again.” As of writing, there are more than 2,200 repositories in GitHub containing this marker.
Furthermore, the malware incorporates an npm propagation logic that abuses the stolen npm tokens to first validate them through the npm registry API, enumerates packages maintained by the token owner, downloads package tarballs, injects the malicious payload, adds a preinstall hook, increases the package versions, and republishes them using the compromised…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
