WhiteSource's automated malware detection platform, WhiteSource Diffend, detected a total of 1,300 malicious packages on NPM, within a period of six months ended December 2021.
All the malicious packages identified by WhiteSource were notified to NPM and were subsequently removed from the package registry.
NPM is a widely used package manager and registry with more than 1.8 million active packages, each package having a little more than 12 versions on average. A package is a prewritten set of useful functions that can be called into a programming environment without having to write each and every line of code from scratch.
NPM has become a constant target by bad actors, according WhiteSource. A report recently published by WhiteSource says that 57 per cent of attacks happen during three days of the week — Friday, Saturday and Sunday.
Most of these (81.7 per cent) are "reconnaissance" attacks, consisting of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Another 14 per cent of the attacks are designed to steal information like credentials and other sensitive details.
NPM attacks and their unique techniques
Some of the newer malware detected by WhiteSource included:
- Mos-sass-loader and css-resources-loader: packages intended to emulate the popular NPM packages style-resource-loader and saas-loader and designed insert malicious source code to download third party info-stealers and also gain connections for remote code execution (RCE);
- Circle-admin-web-app and browser-warning-ui: packages with malicious code designed to download OS-specific external packages with malware to initiate RCE;
- Noopenpaint: A troll package with no malicious code that launches a few applications out of turn and displays “you have been hacked;"
- @grubhubprod_cookbook: the package exploits dependency confusion to specifically target Grubhub, to intercept data and send it to a remote location;
- Azure-web-pubsub-express: a security research package with no harmful intent, to collect system data and network interface details and send them to interactsh.com;
- Reac1 and reect1: a mock-drill package posing as a research package and attempting to direct http requests from the host system to webhook.com;
- Mrg-message-broker: similar to @grubhubprod_cookbook, uses dependency confusion to steal environment data;
- @sixt-web/api-client-sixt-v2-apps: another dependency confusion package aggregating system data upon installation;
- @maui-mf/app-auth: a potential SRRF (server side request forgery) attack package running discovery of AWS metadata service instance roles and sending them to an external fake domain.
The majority of these attacks fall under four harmful threat categories including cryptomining, data stealing, botnets, and security research. The security research packages are those that pose as security research programs, but in reality, contain remote code execution (RCE) intended to gain full access into a host.
Other less harmful packages included script kiddies and SEO hacks. “Script kiddies are packages that do not cause harm or collect data but print disturbing messages like ‘You have been hacked’,” says Maciej Mansfeld, senior project manager at WhiteSource.
“A few packages also try to exploit the fact that NPM displays the README of packages on its online registry to build up SEO for their online presence. We’ve seen online casinos and erotic websites trying to exploit that.”
Dependency confusion poses major threat
The report recommends caution especially regarding attacks that look to exploit dependency confusion in NPM, and the fact that most of the bad code need not even be downloaded manually for the attack to work.
“A dependency confusion attack is a type of supply chain attack which occurs when a package manager is being manipulated into supplying a malicious code instead of the intended code,” says Mansfeld. “The most famous method to exploit this vulnerability is via a package managers' prioritisation mechanism to supply the latest versions.”
In such cases, when attackers successfully find an internal dependency package name, they can then create a public package with the same name with a higher version number. The malicious public package will then be preferred by the package manager and automatically installed whenever an update is called.
How to stay safe on NPM
The report recommends adopting a zero trust policy on the system, updating only when confident about the content of a package; being aware of the environment and tracking changes regularly; running continuous integration (CI) in isolated stage; and keeping close tabs on the SDLC (software development life cycle).
Watching out for packages that download remote components upon installation, and keeping track of all OSS (operation support system) components being used, are also good sanitary routines for NPM end users, according to Mansfeld.