From the factory floor to online shopping, the benefits of automation are clear: Larger quantities of products and services can be produced much faster. But automation can also be used for malicious purposes, as illustrated by the ongoing software supply chain attack targeting the NPM package repository. By automating the process of creating and publishing malicious packages, the threat actor behind this campaign has taken things to a new scale. The malicious modules, which target Azure and Uber developers among others, use techniques such as dependency confusion to retrieve private user information.
The packages related to this attacker were detected and blocked by WhiteSource Diffend within minutes of their release, and all were reported to NPM. WhiteSource research teams continuously monitor, detect, block, and report these packages and similar malicious modules.
As of March 31, 2022, the WhiteSource security teams have observed the publication of more than 900 malicious packages by this threat actor who started publishing malicious packages on February 23, 2022 . That breaks down to an average of nearly 25 packages per day, making this one of the largest malicious campaigns seen to date. As of the date this blog was published (March 31, 2022), the malicious campaign is ongoing . Indeed, it seems as though the threat actor is well-aware of recent media attention, as one of the latest packages released was named “helloscanners4.”
While we observed the first malicious package released by the actor on February 23, we suspect that this is not their first rodeo. At least one of the packages used by the attacker was previously associated with a malicious attack launched on September 30, 2021, in a malicious package named azure-api-style-guide, version 2.0.1 that has already been taken down from NPM registry. Although we can’t definitively confirm that the two attacks originate from the same actor, it does establish a pattern of use.
The attacker has also continued to modify the malicious coding over the course of this campaign. For example, in the version released on March 30, 2022, we see obfuscation of the code. In another package called serotonine320 that was released April 1, 2022, we see the obfuscated code in the README file. It’s also worthwhile to note that the attacker is releasing empty packages along with the malicious modules. While that may seem innocuous at first glance, that is not really the case. Empty packages can serve as a back door to threat actors, who can upload malicious content into the package at a later date. They therefore should be treated as unwanted code and removed.
The attack vector used by this malicious actor is both widely known and frequently used. What’s new about this is the scale of the attack. By applying automation to the process, the attacker was able to generate a very large number of malicious packages, as well as more easily sustain the attack over time.
But other than the large attack scale (and subsequent public attention) which created a lot of noise, does this attack campaign warrant extra precaution? The answer is no — keep the usual precautions with npm packages.
A little perspective helps explain why. In the past three months, WhiteSource Diffend found more than 2,000 malicious packages within NPM, meaning that there were more than 1,100 malicious packages that were unrelated to this campaign. The reality is that attackers publish malicious packages in NPM on a daily basis, and many of them use the same exfiltration methods deployed in this campaign. We also see many cases where obfuscation techniques are used.
Reposted with permission. Original article published by WhiteSource : https://www.whitesourcesoftware.com/resources/blog/automated-software-supply-chain-attacks-should-you-be-worried/