Summary:
The discovery of the malicious NPM package “jest-fet-mock” highlights an innovative supply chain attack that utilizes Ethereum smart contracts for command-and-control operations. This cross-platform malware targets development environments by impersonating legitimate testing utilities, showcasing a new method of leveraging blockchain technology in cyber attacks. #SupplyChainAttack #BlockchainMalware #NPMThreat
Keypoints:
First observed instance of malware utilizing Ethereum smart contracts for C2 server address distribution in the NPM ecosystem.…
Read More
Author: Checkmarx
Dozens of Machines Infected: Year-Long NPM Supply Chain Attack Combines Crypto Mining and Data Theft
Summary:
The Checkmarx Research team has uncovered a year-long supply chain attack involving the malicious NPM package @0xengine/xmlrpc, which evolved from a legitimate XML-RPC implementation to a tool for stealing sensitive data and mining cryptocurrency. This incident highlights the need for ongoing vigilance in monitoring software supply chains, as even seemingly safe packages can become compromised.…
Read More
Short Summary:
The CryptoAITools malware campaign targets cryptocurrency enthusiasts through a malicious Python package and deceptive GitHub repositories. This multi-stage malware aims to steal sensitive data and drain crypto wallets by employing various attack vectors, including a fake website and a graphical user interface to distract victims.…
A few hours ago, The Python Package Index (PyPi) suspended new project creation and new user registration to mitigate an ongoing malware upload campaign.
The research team of Checkmarx simultaneously investigated a campaign of multiple malicious packages appear to be related to the same threat actors.…
Key Points
Attackers often utilize Telegram bots to extract victims’ data. Monitoring an attacker’s communication can provide valuable information. It is possible to forward messages from an attacker’s bot to your own Telegram account.It is not uncommon for attackers to publish malicious packages that exfiltrate victims’ data to them using Telegram bots.…
A cybersecurity researcher, delving into the depths of a malicious Python package, suddenly finds themselves in the crosshairs of the very hacker they were tracking. What starts as a pursuit of understanding harmful code evolves into a strategic battle of wits, where every move could either outsmart the attacker or fall into their trap.…
Key Points
For nearly half a year, a threat actor has been planting malicious Python packages into the open-source repository. Many of the malicious packages were camouflaged with names closely resembling popular legitimate Python packages. Consequently, they received thousands of downloads. The setup.py file within these packages was used to carry the harmful payload, which allowed the malicious code to be executed upon installation. …In the realm of software development, open-source tools and packages play a pivotal role in simplifying tasks and accelerating development processes. Yet, as the community grows, so does the number of bad actors looking to exploit it. A recent example involves developers being targeted by seemingly legitimate Python obfuscation packages that harbor malicious code.…
Key Points
Throughout September 2023, an attacker executed a targeted campaign via Pypi to draw developers using Alibaba cloud services, AWS, and Telegram to their malicious packages. Rather than performing automatic execution, the malicious code within these packages was strategically hidden within functions, designed to trigger only when these functions were called.…What Happened?
In July 2023, our scanners detected nontypical commits to hundreds of GitHub repositories appear to be contributed by Dependabot and carrying malicious code. Those commit messages were fabricated by threat actors to appear as a Dependabot automated contribution in the commit history, an attempt to disguise the malicious activity After reaching out and talking to some of the victims who got compromised, we can confirm that the victims’ GitHub personal access token was stolen and used by the attackers to contribute those malicious code contributions. …In the battle of hackers against defenders, we consistently find hackers trying to disguise their true intent. We have analyzed an interesting sample that was armed with multiple layers of obfuscation. These packages were quite the challenge. However, the attackers have not yet realized that no amount of obfuscation can hide their intentions.…
In May, we sounded the alarm about PYTA31, an advanced persistent threat actor distributing the “WhiteSnake” malware. Since then, we’ve been rigorously monitoring this group, which has been active from April through mid-August, distributing malicious PyPI packages laced with “WhiteSnake Malware.”
WhiteSnake Malware, also known as the “WhiteSnake Stealer”, first appeared on hacking forums in early 2022.…
The highly popular NuGet package, Moq, with total downloads of 475M+, released a new versions 4.20.0 and 4.20.1 on August 8th with a new sub-dependency that has hidden executable code that reads the user’s local git config, extracting the developer’s email address, hashing it, and sending it to a cloud service.…
Just like Hollywood has its own celebrities and well-known actors, the world of malicious open-source packages also has its own notorious players. And just like Hollywood stars, these threat actors don’t always stay in the spotlight. They can take breaks and reemerge with new tactics, techniques, and tools.…
Checkmarx discovered ~200 malicious NPM packages with thousands of installations linked to an attack group called “LofyGang”.
This attack group has been operating for over a year with multiple hacking objectives:
Credit card information Discord “Nitro” (premium) upgrades Streaming services accounts (e.g. Disney+), Minecraft accounts, and more.…