- 17 NPM packages with more than one million weekly downloads committed to deliver a rat
- The attack could become a great attack on the supply chain, experts warned.
- The packages were in disuse, but users should be on guard
More than a dozen NPM packages were poisoned with a remote access Trojan (rat), possibly infecting millions of projects.
Cybersecurity researchers Aikido Security recently discovered a very deep malicious code in 17 popular gluestack packages.
Packages cumulatively have more than one million downloads weekly, which means that large amounts of users could be affected, experts warned.
Access tokens revocation
Here is the complete list of compromised packages:
- @react-native-rare/button
- @React-native-raia/checkbox
- @React-native-rare/combobox
- @react-native-rare/dissemination
- @React-native-rare/focus
- @react-native-rare/interactions
- @react-native-raia/listbox
- @React-native-rare/menu
- @react-native-rare/overlapping
- @React-Native-Raia/Radio
- @react-native-rare/switch
- @React-native-rare/toggle
- @React-native-rare/users
- @Glustack-ui/users
- @React-native-rare/separator
- @React-native-rare/slider
- @React-native-rare/Tabs
The packages implemented a malicious code that connected to the command and control of the attackers (C2) and received additional commands that include, among other things, the ability to load only one or multiple files.
In addition, the Trojan can execute the kidnapping of the Windows route and silently cancel the legitimate commands of Python and PIP.
In response, Guestack revoked an access token used to publish compromised packages. All poisoned tools are marked in NPM as disapproved.
“Unfortunately, not publishing the compromised version was not possible due to dependent packages,” said a Guestack developer in Github. “As mitigation, I have disapproved of the affected versions and updated the last label to indicate a safe and previous version.”
The Node Package Manager (NPM) is the predetermined package administrator for the JavaScript Node.JS. It is used to install libraries, share packages with the community, manage dependencies, run scripts and more.
As such, it is very popular, that it has millions of monthly visitors and hundreds of thousands of registered accounts who frequently publish their packages.
Unfortunately, popular platforms attract mass threat actors, and situations like this are not uncommon in NPM, or similar platforms such as Github or PyPI.
Through Bleepingcomputer
