A malicious Maven package impersonating the legitimate scribejava-core OAuth library has been discovered, exposing developers to credential theft. The package activates on the 15th of each month, harvesting OAuth credentials and sending them to Pastebin, complicating detection efforts. Affected: Java developers, OAuth credential holders, FinTech applications
Keypoints :
- A malicious Maven package is masquerading as the legitimate scribejava-core OAuth library.
- The malicious version was published on Maven Central and has six dependent packages, all mimicking real libraries.
- It activates only on the 15th of each month, capturing and exfiltrating OAuth credentials.
- The code employs obfuscation tactics to evade detection by security tools.
- Impacts could be severe, particularly for applications in finance and data-sensitive environments.
- Recommendations for mitigation include continuous dependency scanning and artifact verification.
MITRE Techniques :
- T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain via the malicious package.
- T1036.005 — Masquerading: Match Legitimate Name or Location by typosquatting the original library.
- T1027 — Obfuscated Files or Information: Use of obfuscation tactics within the malicious code.
- T1568 — Dynamic Resolution: Use of Pastebin for exfiltration of stolen credentials.
- T1497 — Virtualization/Sandbox Evasion: Execution of the malicious code is controlled by a date-based trigger.
Indicator of Compromise :
- [URL] http://pastebin[.]com/api/api_post.php
- [URL] https://pastebin[.]com/abc123
Full Story: https://socket.dev/blog/malicious-maven-package-exfiltrates-oauth-credentials