Malicious javascript compromise on npmjs.com
These packages, about a billion downloads prior
supports-hyperlinks
chalk-template
simple-swizzle
slice-ansi
error-ex
is-arrayish
wrap-ansi
backslash
color-string
color-convert
color
color-name
Thread follows.
reshared this
Kevin Beaumont
in reply to Kevin Beaumont • • •Kevin Beaumont
in reply to Kevin Beaumont • • •Malicious JS in NPM libraries - Pastebin.com
PastebinKevin Beaumont
in reply to Kevin Beaumont • • •Kevin Beaumont
in reply to Kevin Beaumont • • •derekheld (@derekheld@infosec.exchange)
Infosec ExchangeKevin Beaumont
in reply to Kevin Beaumont • • •Davey
in reply to Kevin Beaumont • • •Colin
in reply to Kevin Beaumont • • •Darby M. Dixon III
in reply to Kevin Beaumont • • •Kevin Beaumont
in reply to Kevin Beaumont • • •Kevin Beaumont
in reply to Kevin Beaumont • • •If you want an idea of scale of trojan attempt - 'color' alone had 32m downloads in a week, the combined attempt was pushing a billion due to upstream dependencies.
Hunt tip: look for registry.npmjs.org in proxy logs, package names are in the URLs.
Adrian Sanabria
in reply to Kevin Beaumont • • •Martin Seeger
in reply to Kevin Beaumont • • •We could see that coming for a long time π’. In a text I published in German magazine last year I even predicted that color packages would be used.
But what good did it do us to foresee it? Rather little or next to noneβ¦
Kevin Beaumont
in reply to Kevin Beaumont • • •additional backdoored packages
ansi-styles
debug
chalk
supports-color
strip-ansi
ansi-regex
has-ansi
Kevin Beaumont
in reply to Kevin Beaumont • • •Weekly download stats for impacted packages prior to incident
ansi-styles (371.41m)
debug (357.6m)
backslash (0.26m)
chalk-template (3.9m)
supports-hyperlinks (19.2m)
has-ansi (12.1m)
simple-swizzle (26.26m)
color-string (27.48m)
error-ex (47.17m)
color-name (191.71m)
is-arrayish (73.8m)
slice-ansi (59.8m)
color-convert (193.5m)
wrap-ansi (197.99m)
ansi-regex (243.64m)
supports-color (287.1m)
strip-ansi (261.17m)
chalk (299.99m)
Total 2674m
Kevin Beaumont
in reply to Kevin Beaumont • • •Nando161 reshared this.
David Penfold
in reply to Kevin Beaumont • • •Ooh, please change your retina every three months...
It's a pretty neat ploy though.
Leo@ALLES
in reply to Kevin Beaumont • • •VessOnSecurity
in reply to Kevin Beaumont • • •But, but, but... They said 2FA prevented phishing!
When is 2FA not 2FA? When it is 2SV.
[object Object]
in reply to Kevin Beaumont • • •Tish
in reply to Kevin Beaumont • • •Bitslingers-R-Us
in reply to Kevin Beaumont • • •Martijn Vos
in reply to Kevin Beaumont • • •@Kevin Beaumont
This is called spear phishing: targeting a specific person with a tailored and therefore much more credible phishing attack than the usual broad attack surface.
varx/tech
in reply to Kevin Beaumont • • •...phew, nothing dangerous then.
(Yeah yeah, I know they could swap it out for something worse.)
Matthew Booth
in reply to Kevin Beaumont • • •Simon newslttrs.com
in reply to Kevin Beaumont • • •// pastebin.com/bwLZrq02 deobfuscated by obf-io.deobfuscate.io/ - Pastebin.com
PastebinAdrian Sanabria
in reply to Kevin Beaumont • • •wow, Pastebin just tried to give me malware while trying to view malware on Pastebin
how appropo
Steve Loughran
in reply to Kevin Beaumont • • •Eckes
in reply to Kevin Beaumont • • •Ricardo Carvalho
in reply to Kevin Beaumont • • •haagen
in reply to Kevin Beaumont • • •Hannu Klemetti
in reply to Kevin Beaumont • • •Seems like they are fixing the problem by removing affected versions. At least is-arrayish shows now older version as latest when it was 0.3.3 moments ago.
Too bad that there is no trace in npm repo this happened, but I guess that's the only suitable option.
Brian Campbell
in reply to Kevin Beaumont • • •Holy hell, these are some widely used packages. I've found tons of them in dependencies in our source code.
Looks like the bad versions are already being yanked. Can't find the compromised is-arrayish any more (was looking at it just a few minutes ago). supports-hyperlinks now has a new version published that reverts the change, though the bad version is still in the history. Likewise with chalk-template, wrap-ansi, etc.
jbz
in reply to Kevin Beaumont • • •Aleksi Manninen
in reply to Kevin Beaumont • • •Kzad_Bhat
in reply to Kevin Beaumont • • •Sensitive content
Jacob Alexander Tice
Unknown parent • • •Amgine
Unknown parent • • •There are bike sheds in Skegness?
Painted what colour?
Alex
Unknown parent • • •esa
Unknown parent • • •greem
Unknown parent • • •tautology
Unknown parent • • •the trend in npm to use trivial libraries, i.e.ones you can replace in one expression, really doesn't help.
When we do training on this I point the finger at is-even which is dependent on is-odd and is-number and can be replaced by (x % 2) == 0
codehorse
in reply to Kevin Beaumont • • •One would think that rimrafall and others should have done the job to raise awareness π©
rx13
Unknown parent • • •RayβGolden Retriever WhispererβπInsights
Unknown parent • • •RayβGolden Retriever WhispererβπInsights
Unknown parent • • •Stefan Gast
Unknown parent • • •In programming, you need some good understanding on what you are doing.
Brute-force prompting an AI until it spits out something that appears to be working does not qualify for this.
Building some Frankenstein's application from hundreds of unchecked, mostly trivial third-party libraries does not qualify, either.
Cadmus π²
Unknown parent • • •:hacker_p: :hacker_f: :hacker_t:
in reply to Kevin Beaumont • • •Doug Wade
Unknown parent • • •Rupert V/
Unknown parent • • •Dependency
xkcdvlkr
in reply to Kevin Beaumont • • •Toni Aittoniemi
in reply to Kevin Beaumont • • •Tomasz TarczyΕski
Unknown parent • • •Scott Jackson
in reply to Kevin Beaumont • • •grmbl
in reply to Kevin Beaumont • • •Erlend Oftedal
Unknown parent • • •Just One Package More
suno.comSpaceLifeForm
in reply to Kevin Beaumont • • •Know we know npm is hosted in Nebraska.
xkcd.com/2347/
Dependency
xkcdPhil Burg (he/him)
Unknown parent • • •Help a dumb security guy out? I haven't been a developer since the 90s and I'm out of touch.
Has-ansi was downloaded 12 million times this week - does that mean 12 million applications currently under development added it to their codebase this week?
Or applications using it were deployed to 12 million endpoints this week?
Or 12 million web sessions pulled this JavaScript code this week?
Or....something else entirely?
I've tried to find an answer to this via Google but no joy.
Evan Prodromou
in reply to Kevin Beaumont • • •Michael Eggers πΊπ¦πͺπΊ
in reply to Kevin Beaumont • • •Onno (VK6FLAB)
in reply to Kevin Beaumont • • •RiskyThinking
Unknown parent • • •Leon
in reply to Kevin Beaumont • • •Hippo π
Unknown parent • • •shucks, I have the following libraries in #Convo π³
- color-convert
- color-names
- ansi-styles
- debug
- chalk
- supports-color
People, be careful when trying to do any #cryptocurrency transactions using an #XMPP messaging app on #KaiOS π€
Pontificator.OMF
Unknown parent • • •Tane Piper β
Unknown parent • • •I finally got around to writing about the entire mess (not just the latest incident)
tane.codes/@tanepiper/11517389β¦
Adrian Sanabria
Unknown parent • • •I understand the concept, Iβm just saying I canβt recall many cases where the attacker is as bold as just
cat malware.js >> main.js
Kimberly
Unknown parent • • •Emory
Unknown parent • • •in case anyone is interested in this sort of thing i've been hacking together some patterns and helpers for Fabric AI that you can use to parse `git log`s to spot tagged releases without a corresponding commit. i would accept and consider any feedback if anyone tries it out and has suggestions.
github.com/org-axiopisty/overnβ¦
GitHub - org-axiopisty/overnight-manager: a toolkit intended to be used to identify potentially tainted package releases
GitHubCalisti π³οΈβππ¦
Unknown parent • • •Stumpy The Mutt
Unknown parent • • •