Attackers increasingly are using malicious JavaScript packages to steal data, engage in crypto-jacking & unleash botnets, offering a wide supply-chain attack area for threat players.
More than 1,300 malicious packages have been identified in the most often-downloaded JavaScript package repository used by developers, npm, in the last 6 months — a rapid increase that shows how npm has become a launchpad for a range of bad activities.
Disturbing Increase
New research from open-source security & management firm WhiteSource has discovered the disturbing increase in the delivery of malicious npm packages, which are used as building blocks for web applications. Any app using a malicious code block could be serving up data theft, crypto-jacking, botnet delivery & more to its users.
Out of the malicious packages found, 14% were designed to steal sensitive information like credentials, while nearly 82% of those packages were performing “reconnaissance,” which involved adversaries actively or passively gathering information that can be used to support targeting, the firm stated.
20b Times a Week
Because npm packages in general are being downloaded upwards of 20b times a week & thus installed across countless web-facing components of software & applications across the world–exploiting them means a sizeable playing field for attackers, researchers explained in their Wed. report.
An average of 32,000 new npm package versions are published every month (17,000 daily), & a full 68% of developers depend upon it to create rich online functionality, according to WhiteSource.
Malicious Packages
That level of activity enables threat players to launch a number of software supply-chain attacks, researchers outlined. Accordingly, WhiteSource investigated malicious activity in npm, identifying more than 1,300 malicious packages in 2021 — which were subsequently removed, but may have been brought into any number of applications before they were taken down.
“Attackers are focusing more efforts on using npm for their own nefarious purposes & targeting the software supply chain using npm,” they wrote in the report. “In these supply-chain attacks, adversaries are shifting their attacks upstream by infecting existing components that are distributed downstream & installed potentially millions of times.”
Also, with so many npm packages being released monthly, it is also easy for some vulnerabilities to evade detection, researchers noted.
Why Attack npm?
JavaScript is the most commonly used programming language, & there are about 16.4m JavaScript developers globally, according to WhiteSource.
Its widespread use & deployment across applications & systems that use the internet also makes the JavaScript ecosystem a major target for attackers, researchers explained. Npm itself is 1 of the most popular package managers & registries, containing more than 1.8m active packages, each of which has an average of 12.3 versions, researchers stated.
Package registries like npm also store packages, the metadata associated with them & the configurations that are needed to install them — all of which represent attack areas, making it difficult for IT to keep up, especially when the need to track versions of packages is factored.
Minimum Standard
Also, although npm & other registries play an integral role in the JavaScript development process, “there is a minimum standard of security associated with them” because most of them are maintained & verified by open-source communities or consortiums, researchers observed. This makes them ripe for exploitation by attackers, according to WhiteSource.
Attackers are certainly onto the malicious opportunity npm represents & have already targeted its popular registries in several high-profile attacks last year.
Stealing Passwords
In Jan., attackers used npm to spread the Cursed Grabber malware that could steal Discord tokens & thus enable attacks on users’ accounts & servers. Then in July, researchers found a malicious npm package that was stealing passwords via Chrome’s account-recovery tool.
In Dec., attackers used npm to target Discord again, hiding malicious code within the package manager to harvest Discord tokens that can be used to take over unsuspecting users’ accounts & servers.
Common Malware, Targets & Impact
WhiteSource researchers identified some of the most common malware hidden in malicious npm packages that they observed in the report, with payloads that can steal credentials or crypto & run botnets among the top offenders.
Some of the malicious packages & their functionality that WhiteSource identified in its investigation include:
- mos-sass-loader & css-resources-loader, which engage in ‘brandjacking’ for remote code execution (RCE);
- circle-admin-web-app & browser-warning-ui, which select external packages including malware for download;
- @grubhubprod_cookbook, which engages in dependency confusion aimed at entering Grubhub company data
- H98dx,a remote shell executable that runs upon install to infect machine; &
- Azure-web-pubsub-express, which enables data aggregation that collects host information.
Researchers also described a supply-chain attack that they observed in October using a popular npm library, ua-parser-js, which is used to parse user agent strings to identify a user’s browser, OS, device & other attributes. The library has more than 7m weekly downloads, they outlined.
Sensitive Data
Threat players used ua-parser-js to enter the software supply chain & gain access to sensitive data, as well as vulnerable enterprise resources in the cloud, researchers explained.
“Attackers inserted malicious code into 3 versions of ua-parser-js after seemingly taking over the developer’s npm account,” researchers wrote. “Three new versions of this package were released in an attempt to get users to download them.”
While the previously clean version of the package was 0.7.28, the attacker published identical 0.7.29, 0.8.0 & 1.0.0 packages, “each containing malicious code that was activated upon installation,” they explained.
Especially Vigilant
The author of the package responded quickly to mitigate attacks & attempt to minimise the number of people who were inadvertently installing a malicious package by publishing 0.7.30, 0.8.1 & 1.0.1, researchers added.
Developers should be especially vigilant when downloading npm packages on weekends, as they are the most time of the week for attackers to release malicious packages, researchers found.
This is likely because less people are working & thus online, making it easier for their activity to go unnoticed, they concluded.
