In November 2024, supply chain attacks featured two key trends: attackers’ persistent use of “legitimate-first” package strategies and creative approaches like exploiting official documentation. Cryptocurrency remained the primary target through both credential theft and mining operations.
Let’s delve into some of the most striking events of November:
Dozens of Machines Infected: Year-Long NPM Supply Chain Attack Combines Crypto Mining and Data Theft
A malicious NPM package, masquerading as a legitimate XML-RPC implementation, operated for over a year — stealing data and mining cryptocurrency. Dozens of systems were affected. (Link to report).
xml-rpc attack flow
Malicious NPM Package Exploits React Native Documentation Example
An attacker published a malicious NPM package that mirrors an example from React Native’s official documentation, in an attempt to trick developers following the official guide. This highlights the need for careful package verification even when following official guides. (Link to report).
From React Native’s official documentationMalicious npm package mirroring example from React Native’s official documentation
Falling Stars
Two years after the discovery of StarJacking, an analysis of 21 package repositories reveals improved security measures against this threat — though the risk still persists in some repositories. (Link to report).
Example of PyPi ecosystem process — adding verification of the package metadata.
“aiocpa” Python Package Transforms From Legitimate Package to Crypto Thief
In November 2024, PyPI published an advisory about the aiocpa package, which was compromised when versions 0.1.13 and 0.1.14 introduced obfuscated malware designed to steal cryptocurrency credentials via Telegram. The attack was notable for its patience — the attacker maintained a legitimate package for months before adding malware, while keeping the GitHub repository clean. With thousands of downloads in its final month, aiocpa joins a growing trend where attackers establish legitimate packages before weaponizing them, in most cases to target cryptocurrency assets.
Our team will continue to hunt, squash attacks, and remove malicious packages in our effort to keep the open-source ecosystem safe.
I encourage you to stay up to date with the latest trends and tactics in software supply chain security by tuning into our future posts and learning how to defend against potential threats.
A recent discovery revealed how official documentation can become an unexpected attack vector for supply chain attacks. It happened when an npm package called “rtn-centered-text” exploited an example from React Native’s Fabric Native Components guide in an attempt to trick developers into downloading their package, putting systems at risk.
Key Findings
An attacker published a malicious package that mirrors an example from React Native’s official documentation, in an attempt to trick developers following the official guide.
By leveraging a subtle imprecision in package management instructions, the attack demonstrates how documentation can inadvertently become an attack vector
This incident highlights the importance of the principle “trust but verify”.
The Attack Vector: Documentation as an Entry Point
The React Native documentation for Fabric Native Components includes a detailed guide for creating custom components, using “RTNCenteredText” as an example. While the documentation is comprehensive and well-maintained, a subtle detail in the package update instructions created an unexpected security vulnerability.
The guide suggests using “yarn upgrade rtn-centered-text” to update local development packages.
However, this command first checks the npm registry for packages before looking at local files. An attacker exploited this behavior by publishing a malicious package with the same name on npm.
Community Response and Discovery
The security issue was first identified by a vigilant community member who submitted a pull request to the React Native documentation repository. The contributor noticed the malicious package on npm while following the documentation guide and immediately raised the alarm. Their quick action in reporting both to npm and the React Native team demonstrates the crucial role that community vigilance plays in maintaining ecosystem security.
Impact and Implications
The implications of this attack extend beyond immediate data exposure. It demonstrates how attackers are becoming increasingly sophisticated in their approach to supply chain attacks. By targeting documentation examples from trusted sources, they exploit the implicit trust developers place in official documentation.
This incident serves as a reminder that supply chain security requires vigilance at every level. Documentation must be precise about package management commands, developers need to verify package sources, and security tools should monitor for packages that may be impersonating official examples.
When working with package managers and following documentation, it is recommended for developers to use explicit paths when adding local packages. Instead of using “yarn upgrade”, use “yarn add ../package-name” to ensure you’re referencing local development packages.
Conclusion
This incident highlights the principle “trust but verify”. While developers naturally trust official documentation and guides from reputable sources, it’s crucial to maintain a careful verification process even when following trusted resources. This approach ensures that every component, package, and instruction is validated before implementation, protecting against potential security breaches that might exploit this trust.
The open-source community’s strength lies in its collaborative approach to identifying and addressing security concerns, but we must remain vigilant.
As part of the Checkmarx Supply Chain Security solution, our research team continuously monitors suspicious activities in the open-source software ecosystem. We track and flag “signals” that may indicate foul play, including suspicious entry points, and promptly alert our customers to help protect them from potential threats.
Dozens of Machines Infected: Year-Long NPM Supply Chain Attack Combines Crypto Mining and Data Theft
Through our continuous monitoring of software supply chain threats, the Checkmarx Research team identified a supply chain attack that has remained active for over a year. The package, @0xengine/xmlrpc, began its life as a “legitimate” XML-RPC implementation in October 2023, but strategically transformed into a malicious tool in later versions and has remained active through November of 2024. This discovery serves as a stark reminder that a package’s longevity and consistent maintenance history do not guarantee its safety. Whether initially malicious packages or legitimate ones becoming compromised through updates, the software supply chain requires constant vigilance — both during initial vetting and throughout a package’s lifecycle.
Key Findings
A malicious NPM package masquerading as an XML-RPC implementation has maintained an unusually long presence on the NPM registry from October 2023 to November 2024, receiving 16 updates during this period.
The package started as a “legitimate” XML-RPC implementation and strategically introduced malicious code in later versions.
The malware steals sensitive data (SSH keys, bash history, etc..) every 12 hours while mining cryptocurrency on infected systems. Data is exfiltrated through Dropbox and file.io.
The attack achieved distribution through multiple vectors: direct NPM installation and as a hidden dependency in a legitimate-looking repository.
Evasion techniques include system monitoring detection and activity-based mining
At the time of investigation, it appeared that up to 68 compromised systems were actively mining cryptocurrency through the attacker’s Monero wallet.
Package History and Evolution
The malicious package “@0xengine/xmlrpc” first appeared on the NPM registry on October 2nd, 2023, presenting itself as a pure JavaScript XML-RPC server and client implementation for Node.js.
What makes this package particularly interesting is its strategic evolution from legitimate to malicious code. The initial release (version 1.3.2) and its immediate follow-up appeared to be legitimate implementations of XML-RPC functionality. However, starting from version 1.3.4, the package underwent a significant transformation with the introduction of malicious code in the form of heavily obfuscated code within the “validator.js” file.
Part of the obfuscated code
Over its year-long presence on NPM, the package has received 16 updates, with the latest version (1.3.18) published on October 4th, 2024. This consistent update pattern helped maintain an appearance of legitimate maintenance while concealing the malicious functionality.
Distribution Strategy
Our research uncovered a calculated supply chain attack involving two distribution vectors. The first involves direct installation of @0xengine/xmlrpc from NPM. The second, more sophisticated approach, involves a GitHub repository named “yawpp” (hxxps[:]//github[.]com/hpc20235/yawpp), which presents itself as a WordPress posting tool.
The yawpp repository appears legitimate, offering functionality for WordPress credential checking and content posting. It requires @0xengine/xmlrpc as a dependency, claiming to use it for XML-RPC communication with WordPress sites. This dependency is automatically installed when users set up the yawpp tool through standard npm installation.
This strategy is particularly effective as it exploits the trust developers place in package dependencies, potentially leading to inadvertent installation of the malicious package through what appears to be a legitimate project dependency.
The combination of regular updates, seemingly legitimate functionality, and strategic dependency placement has contributed to the package’s unusual longevity in the NPM ecosystem, far exceeding the typical lifespan of malicious packages that are often detected and removed within days.
Attack Flow
The attack orchestrated through @0xengine/xmlrpc operates through a sophisticated multi-stage approach that combines cryptocurrency mining with data exfiltration capabilities. The malicious functionality, concealed within validator.js, remains dormant until executed through one of two vectors:
Direct package users execute any command with the ‘ — targets’ or ‘-t’ flag. This activation occurs when running the package’s validator functionality, which masquerades as an XML-RPC parameter validation feature.
Users installing the “yawpp” WordPress tool from GitHub automatically receive the malicious package as a dependency. The malware activates when running either of yawpp’s main scripts (checker.js or poster.js), as both require the ‘ — targets’ parameter for normal operation.
This implementation ensures the malware activates through legitimate-looking tool usage, making detection more difficult.
Initial Compromise
Once triggered, the malware begins gathering system information:
Deobfuscated version of the system information gathering code
Following the initial data collection phase, the malware deploys its cryptocurrency mining component with a particular focus on Linux systems. The deployment process involves downloading additional payloads from a Codeberg repository disguised as system authentication services. The mining operation utilizes XMRig to mine Monero cryptocurrency, directing all mining rewards to a predetermined wallet address while connecting to the mining pool.
Deobfuscated configuration revealing the attacker’s Codeberg repository URLs used to fetch mining components
These downloaded components include:
XMRig: The actual cryptocurrency mining software
xprintidle: Used to detect user activity
Xsession.sh: The main script that orchestrates the mining operation
The mining operation is configured with specific parameters targeting Monero:
Monero mining configuration found in the downloaded Xsession.sh script
At the time of our investigation, we observed 68 miners actively connected to this wallet address through the hashvault.pro mining pool, indicating a possible significant number of compromised systems actively mining cryptocurrency for the attacker.
Sophisticated Evasion Mechanisms
The malware implements an advanced process monitoring system to avoid detection. It maintains a list of monitoring tools and continuously checks for their presence.
Deobfuscated version of the process monitoring evasion logic found in Xsession.sh — checks for and terminates mining when system monitoring tools are detected
The malware also carefully monitors user activity through the xprintidle utility. It only initiates mining operations after a specified period of inactivity (default: 1 minute) and immediately suspends operations when user activity is detected. This behavior is controlled by the INACTIVITY_IN_MINS parameter.
Maintaining Persistence
To ensure long-term survival on infected systems, the malware establishes persistence through systemd, disguising itself as a legitimate session authentication service named “Xsession.auth”. This service is configured to automatically start with the system, ensuring the mining operation resumes after system reboots. The malware also implements a daily check-in mechanism, regularly sending system status updates and potentially receiving new commands or configurations.
Deobfuscated systemd service configuration from Xsession.sh used for maintaining persistence
Data Exfiltration Pipeline
The malware implements a comprehensive data collection and exfiltration system that operates continuously. Every 12 hours, it performs a systematic collection of sensitive system information through a “daily_tasks” function found in Xsession.sh:
During each collection cycle, the malware systematically gathers a wide range of sensitive data including:
SSH keys and configurations from ~/.ssh
Command history from ~/.bash_history
System information and configurations
Environment variables and user data
Network and IP information through ipinfo.io
The stolen data is exfiltrated through two channels. One, using the Dropbox API with hardcoded credentials.
Additionally, the malware employs file.io as a secondary exfiltration channel, using a bearer token for authentication and setting automatic file deletion after download to minimize detection risks.
Conclusion
This year-long campaign serves as a stark reminder of the critical importance of thoroughly vetting open-source projects before incorporation into any software development process. Projects can be malicious from the start, maintaining a long-term presence while hiding their true nature, or legitimate projects can later become compromised and introduce malicious code through updates.
This dual threat emphasizes why developers and organizations must remain vigilant not only during initial vetting but also in monitoring package updates, implementing robust security measures, and conducting regular audits of their dependencies to mitigate the risks associated with supply chain attacks.
As part of the Checkmarx Supply Chain Security solution, our research team continuously monitors suspicious activities in the open-source software ecosystem. We track and flag “signals” that may indicate foul play, including suspicious entry points, and promptly alert our customers to help protect them from potential threats.
Checkmarx One customers are protected from this attack.
October 2024 heralded a new chapter in supply chain security challenges, characterized by innovative attack techniques and cryptocurrency-focused threats. A groundbreaking entry point exploitation technique affecting multiple package ecosystems was unveiled, while the NPM ecosystem witnessed the first-ever use of Ethereum smart contracts for malware C2 infrastructure. The month also saw multiple sophisticated attacks on cryptocurrency wallets through PyPI packages and a notable compromise of the popular lottie-player package, despite 2FA protections, highlighting the increasing complexity of supply chain security threats.
Let’s delve into some of the most striking events of October:
This New Supply Chain Attack Technique Can Trojanize All Your CLI Commands
A new supply chain attack technique exploits entry points in various programming ecosystems, allowing attackers to trojanize CLI commands. This stealthy method poses risks to developers and enterprises, bypassing traditional security checks. (Link to report).
With 2FA Enabled: NPM Package lottie-player Taken Over by Attackers
NPM package lottie-player compromised via leaked automation token, bypassing 2FA. Malicious versions injected code to trick users into connecting crypto wallets. Swift response: safe version released, compromised versions unpublished. (Link to report).
Crypto-Stealing Code Lurking in Python Package Dependencies
A sophisticated cyber attack on PyPI targeted cryptocurrency wallets through malicious packages. The attack used deceptive strategies, distributed malicious code across dependencies, and only activated when specific functions were called, making detection challenging. (Link to report).
Cryptocurrency Enthusiasts Targeted in Multi-Vector Supply Chain Attack
A malicious PyPI package “cryptoaitools” targeted cryptocurrency enthusiasts through a multi-vector supply chain attack. It used deceptive GUI, multi-stage infection, and comprehensive data exfiltration to steal crypto-related information from Windows and macOS users. (Link to report).
Supply Chain Attack Using Ethereum Smart Contracts to Distribute Multi-Platform Malware
A sophisticated NPM supply chain attack uses Ethereum smart contracts for C2 distribution. The cross-platform malware, targeting popular testing packages, affects Windows, Linux, and macOS through Typosquatting and preinstall scripts. (Link to report)
Our team will continue to hunt, squash attacks, and remove malicious packages in our effort to keep the open-source ecosystem safe.
I encourage you to stay up to date with the latest trends and tactics in software supply chain security by tuning into our future posts and learning how to defend against potential threats.
As part of our ongoing security efforts, we continuously monitor and detect malicious packages within various software ecosystems. Recently, we uncovered a unique supply chain attack through the NPM package “jest-fet-mock,” which implements a different approach using Ethereum smart contracts for command-and-control operations. The package masquerades as a popular testing utility while distributing malware across Windows, Linux, and macOS platforms. This discovery represents a notable difference in supply chain attack methodologies, combining blockchain technology with traditional attack vectors in a way not previously observed in npm. jest-fet-mock was the first package identified in a larger ongoing campaign targeting the npm ecosystem. Additional packages connected to this campaign were later reported by security firms Phylum and Socket.
Key Findings
First observed instance of malware utilizing Ethereum smart contracts for C2 server address distribution in the NPM ecosystem.
Typosquatting attack targeting developers by impersonating two legitimate, popular testing packages.
Cross-platform malware targeting Windows, Linux, and macOS development environments.
Uses NPM preinstall scripts to execute malicious code during package installation.
Performs info-stealing actions while establishing persistence mechanisms across infected systems.
The Art of Impersonation
The malicious package “jest-fet-mock”, published in mid-October, was designed to impersonate two legitimate and widely used JavaScript testing utilities.
The first, “fetch-mock-jest” (~200K weekly downloads), is a wrapper around fetch-mock that enables HTTP request mocking in Jest environments.
The second, “Jest-Fetch-Mock” (~1.3M weekly downloads), provides similar functionality through Jest’s native mocking capabilities.
Both legitimate packages are tools for testing HTTP requests in JavaScript applications. The attacker used a classic typosquatting technique by misspelling “fetch” as “fet” while maintaining the key terms “jest” and “mock”. Given that the legitimate packages are primarily used in development environments where developers typically have elevated system privileges, and are often integrated into CI/CD pipelines, we believe this attack specifically targets development infrastructure through the compromise of testing environments.
Attack Flow
Blockchain-Based Command & Control
Etherscan transaction details showing the smart contract’s getString method returning the C2 server address
The most distinctive aspect of this attack is how it leverages the Ethereum blockchain for its command-and-control infrastructure. When executed, the malware interacts with a smart contract at address “0xa1b40044EBc2794f207D45143Bd82a1B86156c6b”. Specifically, it calls the contract’s “getString” method, passing “0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84” as a parameter to retrieve its C2 server address.
By using the blockchain in this way, the attackers gain two key advantages: their infrastructure becomes virtually impossible to take down due to the blockchain’s immutable nature, and the decentralized architecture makes it extremely difficult to block these communications.
Understanding the Smart Contract Mechanism
Think of a smart contract on the Ethereum blockchain as a public bulletin board — anyone can read what’s posted, but only the owner has the ability to update it. The attackers in this case deployed such a contract, using it to store their C2 server address. Every time the malicious package is installed on a new system, it checks this bulletin board to find out where to download the actual malware. What makes this approach particularly effective is its flexibility. Instead of hardcoding server addresses in their malware, the attackers can simply update their smart contract whenever they need to point to a new server. This means that even if defenders successfully block one C2 server, the attackers can quickly switch to a new one by updating their contract, and all new infections will automatically connect to the new location.
Initial Execution
The attack chain begins during the npm package installation process through the preinstall script. This script determines the host operating system and constructs a platform-specific URL to download the appropriate payload. The malware then spawns a detached process, ensuring the malicious code continues running independently of the installation process.
Multi-Platform Malware
Our analysis revealed distinct malware variants designed for:
Windows (SHA-256: df67a118cacf68ffe5610e8acddbe38db9fb702b473c941f4ea0320943ef32ba),
Linux (SHA-256: 0801b24d2708b3f6195c8156d3661c027d678f5be064906db4fefe74e1a74b17),
and macOS (SHA-256: 3f4445eaf22cf236b5aeff5a5c24bf6dbc4c25dc926239b8732b351b09698653).
Notably, as of this writing, none of these files have been flagged as malicious by any security vendors on VirusTotal.
The malware variants demonstrated various capabilities including system reconnaissance, credential theft, and establishing persistence through platform-specific mechanisms — using AutoStart files in Linux and Launch Agent configuration (~/Library/LaunchAgents/com.user.startup.plist) in macOS.
Throughout their operation, all variants maintain consistent communication with the attacker’s C2 server, showcasing a coordinated cross-platform attack strategy aimed at compromising development environments.
Impact
By targeting development tools and testing utilities, attackers gain potential access to not only individual developer machines but also CI/CD pipelines and build systems. The use of blockchain technology for C2 infrastructure represents a different approach to supply chain attacks in the npm ecosystem, making the attack infrastructure more resilient to takedown attempts while complicating detection efforts.
The cross-platform nature of the malware, coupled with the fact that no security vendors have flagged these files as malicious on VirusTotal at the time of writing, makes this an actively dangerous threat to development environments.
Conclusion
The discovery of “jest-fet-mock” reveals how threat actors are finding different ways to compromise the software supply chain. This case serves as an important reminder for development teams to implement strict security controls around package management and carefully verify the authenticity of testing utilities, especially those requiring elevated privileges.
As part of the Checkmarx Supply Chain Security solution, our research team continuously monitors suspicious activities in the open-source software ecosystem. We track and flag “signals” that may indicate foul play, including suspicious entry points, and promptly alert our customers to help protect them from potential threats.
Cryptocurrency enthusiasts have been the target of another sophisticated and invasive malware campaign. This campaign was orchestrated through multiple attack vectors, including a malicious Python package named “cryptoaitools” on PyPI and deceptive GitHub repositories. This multi-stage malware, masquerading as a suite of cryptocurrency trading tools, aims to steal a wide range of sensitive data and drain victims’ crypto wallets.
Key Findings
A malicious package “cryptoaitools” was uploaded to PyPI, impersonating legitimate cryptocurrency trading tools, complete with a seemingly functional trading bot implementation.
The malware activated automatically upon installation, targeting both Windows and macOS operating systems.
The attacker also distributed the malware through GitHub repositories, expanding the attack surface.
A deceptive graphical user interface (GUI) was used to distract victims while the malware performed its malicious activities in the background.
The malware employed a multi-stage infection process, utilizing a fake website that appeared legitimate to host and deliver second-stage payloads.
The malware displayed extensive data theft capabilities focused on cryptocurrency-related information, including wallet data, browser data, and sensitive system files.
Attack Flow
Initial Infection Vector
The CryptoAITools malware campaign began with the upload of a malicious package named “cryptoaitools” to PyPI. This package contained code for a seemingly legitimate cryptocurrency trading bot, including functions for automated trading on DEXs, price monitoring, and liquidity management. This legitimate-looking code served to disguise the malware’s true nature.
The malware activates automatically upon installation through the package’s __init__.py file. This file imports and executes the run_base() function from base.py:
__init__.py file
The run_base() function determines the victim’s operating system and executes the appropriate malware variant:
The malware employs platform-specific helper functions to execute different versions for Windows and macOS systems. While the Windows version (basec_helper.py) is less obfuscated, the macOS variant (base_helper.py) is more heavily disguised. Despite these differences, both versions perform similar malicious activities, including data theft and cryptocurrency-related operations. These helper functions are responsible for downloading and executing additional malicious payloads, thus initiating subsequent stages of the attack.
Multi-Stage Infection Process
The CryptoAITools malware employs a sophisticated multi-stage infection process, leveraging a fake website to deliver its secondary payloads.
After the initial infection via the PyPI package, the malware’s second stage begins with the execution of base_helper.py (for macOS) or basec_helper.py (for Windows). These scripts are responsible for downloading additional malicious components from a deceptive website.
The malware uses a domain that appears legitimate: https://coinsw.app. This domain hosts a convincing appearance of a cryptocurrency trading bot service, complete with fake user reviews, subscriber counts, and detailed descriptions of AI-driven trading features. This elaborate disguise attempts to add credibility if a curious user investigates the domain.
The helper script decodes a base64-encoded URL and a list of filenames:
It then downloads these files from the fake website.
These downloaded files constitute the secondary payloads, expanding the malware’s capabilities. Notable among these is MHTBot.py, which is executed immediately after download (For MAC a different set of files are downloaded and the main.py file is then executed immediately after download)
This multi-stage approach allows the malware to:
Maintain a small initial footprint in the PyPI package
Evade detection during the initial installation
Flexibly update and expand its capabilities post-infection
Use a legitimate-looking website as a hosting platform for malicious payloads
Deceptive GUI
A unique aspect of this attack, compared to many malicious packages we have seen in the past, is that the CryptoAITools malware incorporates a graphical user interface (GUI) as a key component of its social engineering strategy. This GUI appears the moment the second-stage malware is activated and presents itself as an “AI Bot Starter” application. It is designed to distract users and collect sensitive information while the malware operates covertly. The interface’s role is straightforward: it begins by prompting users to create a password “to start using the bot securely.” Once a new password is added, a fake setup process is displayed, featuring a progress bar and loading animations. While users are engaged and focused on this seemingly legitimate interface and its fake setup process, the malware continues its malicious operations in the background, including data theft and system manipulation.
Data Heist
The CryptoAITools malware conducts an extensive data theft operation, targeting a wide range of sensitive information on the infected system. The primary goal is to gather any data that could aid the attacker in stealing cryptocurrency assets. The malware’s data collection capabilities are implemented across several modules, each focusing on specific types of data or system areas.
Types of Data Targeted
Cryptocurrency wallet data from various applications (Bitcoin, Ethereum, Exodus, Atomic, Electrum, etc.)
Browser data: saved passwords, cookies, and browsing history
Data from a wide range of browser extensions related to cryptocurrency
Sensitive system files, including SSH keys and configuration files
Files from user directories (Downloads, Documents, Desktop) containing keywords related to cryptocurrencies, passwords, and financial information
Telegram application data, including configuration files and message databases
System terminal history
Data from Apple Notes and Stickies applications on macOS systems
Data Exfiltration Method
The malware’s exfiltration process begins with the collected data stored in a hidden .temp directory in the user’s home folder. For each file, the exfiltration script changes the file extension to ‘.minecraft’. It then uploads the file to gofile.io using their API. Upon successful upload, gofile.io returns a download link, which is then sent to a Telegram bot of the attacker. After transmission, the local copy of the exfiltrated file is deleted. The process also includes error handling to prevent disruptions to the malware’s operation.
The Attacker
Our continued investigation into this campaign revealed the attacker was employing multiple infection vectors and social engineering tactics. The attack is not limited to the malicious Python package on PyPI, but extends to other platforms and methods:
PyPI Package: The initial discovery of the malicious “cryptoaitools” package on PyPI.
GitHub Repository: The attacker also distributes the malware through a GitHub repository named “Meme-Token-Hunter-Bot”. This repository contains similar malicious code, potentially infecting users who clone and run the code directly from GitHub.
Fake Website: The attacker operates a fake website at https://coinsw.app/, which mimics a legitimate cryptocurrency trading bot service.
Telegram Channel: The website’s “Buy” page leads to a Telegram chat named “Pancakeswap prediction bot”, where the attacker directly engages with potential victims.
In the Telegram chat, the attacker employs various tactics to lure potential victims. They offer “bot support” to establish credibility and trust. To entice users, they promote their GitHub repository as hosting their “most powerful bot,” appealing to those seeking advanced trading tools. The attacker then proposes an attractive offer: a free trial period followed by a monthly subscription model, making the proposition seem both risk-free and professional. To further personalize the experience and maintain ongoing engagement, they offer customized configuration options and continuous support, which creates a facade of a legitimate, customer-focused service.
This multi-platform approach allows the attacker to cast a wide net, potentially reaching victims who might be cautious about one platform but trust another.
Analysis of the GitHub repository interactions suggests that the scope of the attack may be larger than initially thought. Users who have starred or forked the malicious repository could potentially be victims, though further investigation would be needed to confirm this.
Impact
The CryptoAITools malware campaign has severe consequences for victims and the broader cryptocurrency community. Individuals face immediate financial losses through cryptocurrency theft, along with long-term risks of identity theft and privacy breaches due to extensive data exfiltration.
The true scope of the attack may be larger than initially thought, particularly given the GitHub repository interactions. Users who starred or forked the malicious “Meme-Token-Hunter-Bot” repository are potential victims, significantly expanding the attack’s reach.
On a larger scale, this attack erodes trust in cryptocurrency tools and platforms, potentially slowing adoption and innovation in the cryptocurrency space.
Conclusion
This cryptobot malware serves as a potent reminder that the stakes — and the risks — are high in the world of cryptocurrency. As digital assets continue to gain value and popularity, we can expect to see more sophisticated threats targeting this space.
As part of the Checkmarx Supply Chain Security solution, our research team continuously monitors suspicious activities in the open-source software ecosystem. We track and flag “signals” that may indicate foul play, including suspicious entry points, and promptly alert our customers to help protect them from potential threats.
The open source ecosystem, due to its widespread adoption, has become a prime target for supply chain attacks. Malicious actors often exploit built-in features of open source packages to automatically distribute and execute harmful code. They particularly favor two techniques: Automatic, preinstall scripts that execute upon package installation, and seemingly innocent packages that import malicious dependencies.
As these tactics have become more recognizable, current security tools and vigilant developers have improved at detecting them quickly. However, an often overlooked yet potentially dangerous feature remains: Entry points.
This blog post explores how attackers can leverage entry points across multiple programming ecosystems with an emphasis on Pypi to trick victims into running malicious code. While this method doesn’t allow for immediate system compromise like automatic scripts or malicious dependencies, it offers a subtler approach for patient attackers to infiltrate systems, potentially evading standard security measures.
By understanding this lesser-known vector, we can better defend against the evolving landscape of Open source supply chain attacks.
Key Points
Entry points, a powerful feature for exposing package functionality, are vulnerable to exploitation across various ecosystems including PyPI (Python), npm (JavaScript), Ruby Gems, NuGet (.NET), Dart Pub, and Rust Crates.
Attackers can leverage these entry points to execute malicious code when specific commands are run, posing a widespread risk in the open-source landscape.
Attack methods include command-jacking — impersonating popular third-party tools and system commands — and targeting various stages of the development process through malicious plugins and extensions. Each approach carries varying levels of potential success and detection risk.
Entry point attacks, while requiring user interaction, offer attackers a more stealthy and persistent method of compromising systems, potentially bypassing traditional security checks.
This attack vector poses risks to both individual developers and enterprises, highlighting the need for more comprehensive Python package security measures.
Understanding Python Entry Points
Entry points are a powerful feature of the packaging system that allows developers to expose specific functionality as a cli command without requiring users to know the exact import path or structure of the package.
Entry points serve several purposes which include:
Creating command-line scripts that users can run after installing a package.
Defining plugin systems where third-party packages can extend the functionality of a core package.
The most popular kind of entry point is console_scripts, which points to a function that you want to be made available as a command-line tool to whoever installs your package.
While primarily designed to enhance modularity and plugin systems, entry points can, if misused, become a vector for malicious actors to embed and execute harmful code. To understand how attackers can leverage Python entry points in their favor, let’s first understand how entry points were originally meant to work.
How Entry Points are Defined in Package Metadata
The location and format of entry point definitions can vary depending on the package format (wheel or source distribution).
Source Distributions (.tar.gz)
For source distributions, entry points are typically defined in a package’s setup configuration. This can be in setup.py, setup.cfg for traditional setups, or pyproject.toml for more modern packaging approaches.
Here’s an example of how entry points might be defined in setup.py:
Wheel Files (.whl)
In a wheel file, which is a built package format, entry points are defined in the entry_points.txt file within the .dist-info directory.
Here’s how the entry_points.txt file might look for the above example:
The syntax for entry points follows this pattern:
name: The name of the entry point (e.g., the command name for console scripts)
package.module: The Python module path
object: The object (function, class, etc.) within the module to be used
In the above examples, my_command is a console script that will be created during installation. Anytime after the package installation, when a user types my_command in their terminal, it will execute the my_function from mypackage.module.
The plugin_name is a custom entry point that could be used by my_package to discover plugins. It points to PluginClass in my_package.plugins.
When a package is installed, these entry points are recorded in the package’s metadata. Other packages or tools can then query this metadata to discover and use the defined entry points.
If an attacker can manipulate a legitimate package’s metadata or convince a user to install a malicious package, they can potentially execute arbitrary code on the user’s system whenever the defined command or plugin is invoked. In the following section, I will provide multiple methods an attacker could use to trick someone into executing their malicious code through entry points.
Understanding CLI Commands in Operating Systems
Command-line interface (CLI) commands are the primary means by which users interact with an operating system through a text-based interface. These commands are interpreted and executed by the shell, which acts as an intermediary between the user and the operating system.
When a user enters a command, the shell follows a specific resolution mechanism to locate and execute the corresponding program. The exact order can vary slightly between different shells. However, the process typically begins by checking in order the directories listed in the PATH environment variable and runs the first matching executable it finds. Users can view their current PATH by entering the command “echo $PATH” in their terminal (the exact command will differ between operating systems), which displays the list of directories the shell searches for executables.
This resolution process ensures that when a user types a command, the appropriate action is taken. Understanding this process is crucial when considering how Python entry points, which can create new CLI commands, might interact with or potentially interfere with existing system commands.
Terminal output on an Ubuntu system showing the ‘ls’ command execution, its PATH location using ‘which ls’, and the system’s PATH environment variable, displaying the ‘ls’ PATH priority.
How Attackers Can Abuse Entry Points to Execute Malicious Code
Malicious actors can exploit Python entry points in several ways to trick users into executing harmful code. We’ll explore a number of tactics, including Command-Jacking, Malicious Plugins and Malicious Extensions.
Command-Jacking
Impersonating Popular Third-Party Commands:
Malicious packages can use entry points to masquerade as widely-used third-party tools. This tactic is particularly effective against developers who frequently use these tools in their workflows.
For instance, an attacker might create a package with a malicious ‘aws’ entry point. When unsuspecting developers who regularly use AWS services install this package and later execute the aws command, the fake ‘aws’ command could exfiltrate their AWS access keys and secrets. This attack could be devastating in CI/CD environments, where AWS credentials are often stored for automated deployments — potentially giving the attacker access to entire cloud infrastructures.
Another example could be a malicious package impersonating the ‘docker’ command, targeting developers working with containerized applications. The fake ‘docker’ command might secretly send images or container specifications to the attacker’s server during builds or deployments. In a microservices architecture, this could expose sensitive service configurations or even lead to the exfiltration of proprietary container images.
Other popular third-party commands that could be potential targets for impersonation include but not limited to:
npm (Node.js package manager)
pip (Python package installer)
git (Version control system)
kubectl (Kubernetes command-line tool)
terraform (Infrastructure as Code tool)
gcloud (Google Cloud command-line interface)
heroku (Heroku command-line interface)
dotnet (Command-line interface for .NET Core)
Each of these commands is widely used in various development environments, making them attractive targets for attackers looking to maximize the impact of their malicious packages.
Impersonating System Commands:
By using common system command names as entry points, attackers can impersonate fundamental system utilities. Commands like ‘touch,’ ‘curl,’ ‘cd’, ‘ls’, and ‘mkdir’ just to name a few, could be hijacked, leading to severe security breaches when users attempt to use these fundamental tools.
While this method potentially provides the highest chances of the victim accidentally executing the malicious code, it also carries the highest risk of failure for the attacker. The success of this approach primarily depends on the PATH order. If the directory containing the malicious entry points appears earlier in the PATH than the system directories, the malicious command will be executed instead of the system command. This is more likely to occur in development environments where local package directories are prioritized.
Another thing to keep in mind is that globally installed packages (requiring root/admin privileges) might override system commands for all users, while user-installed packages would only affect that specific user’s environment.
Comparison of Ubuntu terminal outputs before and after installation of a malicious package. An ‘ls’ command is added to the PATH /home/ubuntu/.local/bin/ls, which takes priority over the PATH of the legitimate ls command.
Enhancing Attacks with Command Wrapping
In each of these Command-Jacking tactics, while it’s simpler for an attacker to merely override CLI commands, the chances of remaining undetected are quite low. The moment victims can’t execute a command, they’ll likely become suspicious immediately. However, these attacks can be made much more effective and stealthy through a technique called “command wrapping.” Instead of simply replacing a command, wrapping involves creating an entry point that acts as a wrapper around the original command. Here’s how it works:
The malicious entry point is triggered when the user calls the command (whether it’s an impersonated third-party tool or an attempt to impersonate a system command).
In addition to silently executing the attacker’s malicious code, it calls the original, legitimate command with all the user’s arguments.
Finally, it returns the output and exit code of the legitimate command to the user.
This method of command wrapping is particularly dangerous as it executes malicious code without the user’s knowledge while maintaining the appearance of normal operation. Since the legitimate command still runs and its output and behavior are preserved, there’s no immediate sign of compromise, making the attack extremely difficult to detect through normal use. This stealthy approach allows attackers to maintain long-term access and potentially exfiltrate sensitive information without raising suspicion.
However, implementing command wrapping requires additional research by the attacker. They need to understand the correct paths for the targeted commands on different operating systems and account for potential errors in their code. This complexity increases with the diversity of systems the attack targets.
An alternative approach, depending on the command being hijacked, is for the malicious package to not only perform its covert operations but also replicate some or all of the functionality of the original command. Instead of calling the real command, the wrapper simulates its behavior. This method could further decrease suspicion, especially for simpler commands, but it requires more effort from the attacker to accurately mimic the original command’s behavior across various scenarios.
The success of these attacks ultimately depends on the malicious package being installed and its scripts directory being prioritized in the system’s PATH.
Malicious Plugins & Extensions
Another powerful technique for abusing entry points is through the creation of malicious plugins for popular Python tools and frameworks. This approach can be particularly dangerous as it targets the development and testing process itself.
Manipulating pytest:
As an example, let’s consider how an attacker might target pytest, a widely-used testing framework in the Python ecosystem. By creating a malicious pytest plugin, an attacker could potentially compromise the integrity of the entire testing process.
Here’s how such an attack could work:
The attacker creates a plugin that uses pytest’s entry point system to inject malicious code.
This plugin is distributed as a seemingly helpful testing utility.
Once installed, the plugin can manipulate various aspects of the testing process such as assertion handling.
The malicious plugin could then stealthily run malicious code in the background during testing. The malicious plugin could also override pytest’s assertion comparison, causing, for example, all equality checks to pass regardless of their actual values, leading to false positives in test results, allowing buggy or vulnerable code to pass quality checks unnoticed.
In the following video demonstration, we showcase how such a malicious plugin can target pytest’s assertion handling, allowing an attacker to manipulate test results without alerting the developers. In this example, a developer was attempting a simple test scan of a basic calculator package.
Manipulating Flake8:
Attackers can also target popular development tools, manipulating them to run malicious extensions. Flake8, a widely-used linting tool in the Python ecosystem, is one such example. Since Flake8 uses entry points to discover and load extensions, it becomes a potential target for malicious actors.
An attacker might exploit Flake8 by creating a malicious extension disguised as helpful linting rules. This extension would be defined as an entry point in the package’s setup configuration. For example, the setup file might specify an entry point named ‘MCH’, pointing to a malicious checker class within the package.
The malicious checker’s implementation could include functionality to perform harmful actions on the victim’s system, inject malicious “fixes” into the code, or manipulate linting results to hide or create issues. When a user runs Flake8 on their codebase, this malicious extension would activate, allowing the attacker to execute their harmful code.
This attack is particularly dangerous because linting tools often run on entire codebases, giving the attacker broad access to the source code. Moreover, the attack can be perpetrated through seemingly helpful linting rules, making it less likely to raise suspicion. It could serve as part of a larger supply chain attack to gather intelligence or introduce vulnerabilities into the target’s codebase.
Working around .whl File Limitations
Python wheels (.whl files) have become increasingly prevalent due to their performance benefits in package installation. However, they present a unique challenge for attackers
While both .tar.gz and .whl files may contain a setup.py file, .whl files don’t execute setup.py during installation. This characteristic has traditionally made it more difficult for attackers to achieve arbitrary code execution during the installation process when using .whl files.
However, the entry point attack method we’ve discussed provides a workaround for this limitation. By manipulating entry points, attackers can ensure their code is executed when specific commands are run, even if the package is distributed as a .whl file. This is particularly significant because when developers build a Python package using commands like “pip -m build”, newer pip versions automatically create both .tar.gz and .whl files. Additionally, pip prioritizes delivering the .whl file to users during installation
This shift in package format and installation behavior presents a new opportunity for attackers. Many security tools focus on analyzing execution of preinstall scripts during installation, which are typically associated with .tar.gz files. As a result, they may miss malicious code in packages distributed as .whl files, especially when the malicious behavior is triggered through entry points rather than immediate execution.
Entry Points in Other Ecosystems
While this blog primarily focuses on Python, the exploitation of entry points for malicious purposes extends beyond the Python ecosystem. Through our research, we have confirmed that this type of attack vector exists in several other major ecosystems, including:
npm (JavaScript), Ruby Gems, NuGet (.NET), Dart Pub, and Rust Crates, though the vulnerability may not be limited to these alone.
Understanding how entry points function across various programming languages and package managers is crucial for grasping the widespread nature of this potential security risk and for developing comprehensive defensive strategies.
Conclusion
Entry points, while a powerful and useful feature for legitimate package development, can also be manipulated to deliver malicious code across multiple programming ecosystems
Attackers could exploit this mechanism through various methods, including Command-Jacking and the creation of malicious plugins and extensions for popular development tools.
Moving forward, it’s crucial to develop comprehensive security measures that account for entry point exploitation. By understanding and addressing these risks, we can work towards a more secure Python packaging environment, safeguarding both individual developers and enterprise systems against sophisticated supply chain attacks.
As part of the Checkmarx Supply Chain Security solution, our research team continuously monitors suspicious activities in the open-source software ecosystem. We track and flag “signals” that may indicate foul play, including suspicious entry points, and promptly alert our customers to help protect them from potential threats.
On September 22nd, a new PyPI user orchestrated a wide-ranging attack by uploading multiple packages within a short timeframe. These packages, bearing names like “AtomicDecoderss,” “TrustDecoderss,” “WalletDecoderss,” and “ExodusDecodes,” masqueraded as legitimate tools for decoding and managing data from an array of popular cryptocurrency wallets.
The attack targeted users of Atomic, Trust Wallet, Metamask, Ronin, TronLink, Exodus, and other prominent wallets in the crypto ecosystem. Presenting themselves as utilities for extracting mnemonic phrases and decrypting wallet data, these packages appeared to offer valuable functionality for cryptocurrency users engaged in wallet recovery or management. However, behind the scenes, these packages would fetch malicious code from dependencies to covertly steal sensitive cryptocurrency wallet data, including private keys and mnemonic phrases, potentially granting the attackers full access to victims’ funds.
This strategic use of dependencies allowed the main packages to appear harmless while harboring malicious intent in their underlying components.
Key Findings
On September 22nd, multiple packages were published to the PyPI platform, targeting a wide range of crypto wallets including Atomic, Trust Wallet, Metamask, Ronin, TronLink, and Exodus.
The malicious packages distributed their code across dependencies, making detection more challenging. This approach separated the seemingly benign main package from its harmful components.
Unlike most malicious packages we’ve seen, these packages activate only when specific functions are called, not automatically upon installation.
The malware’s capabilities include theft of private keys, mnemonic phrases, and other sensitive wallet data.
The attack exploits the trust in open-source communities and the apparent utility of wallet management tools, potentially affecting a broad spectrum of cryptocurrency users.
A Web of Deception
The attacker behind this campaign implemented a multi-faceted strategy to disguise their intent and maximize the download count of their packages. This approach combined several deceptive techniques, each designed to exploit different aspects of user trust and package evaluation practices.
Deceptive Package Names and READMEs
Package names were carefully crafted to appeal to developers and users working with various wallet types. Names like “AtomicDecoderss,” “TrustDecoderss,” and “ExodusDecodes” mimicked legitimate tools.
Each package was accompanied by a professionally crafted README file, further enhancing its apparent legitimacy. These READMEs included detailed installation instructions, usage examples, and in one case, even “best practices” for virtual environments.
The attacker went a step further in their deception by including fake package statistics in the README files. At first glance, the packages displayed impressive stats, making them appear to be part of very popular and well-maintained projects. However, these were merely images creating an illusion of popularity and active development, further encouraging users to trust and download the package.
This level of detail and apparent popularity not only made the packages seem genuine but also significantly increased the likelihood of users implementing and running the malicious code.
Distributed Functionality Across Dependencies
Functionality was distributed across multiple dependencies within the packages themselves. Six of the malicious packages relied on a dependency called “cipherbcryptors,” which contained the core malicious code. Some packages further obfuscated their functionality by utilizing an additional dependency, “ccl_leveldbases.” This approach served dual purposes.
Firstly, it made the main packages appear more innocuous upon initial inspection, as they themselves contained little to no overtly malicious code.
Secondly, it significantly complicated the analysis process for security researchers and vigilant users. The full scope of each package’s capabilities wasn’t immediately apparent, requiring a deeper dive into the dependency chain to uncover the true nature of the code.
Obfuscation of Malicious Code
Within the “cipherbcryptors” package, where the heart of the malicious functionality resided, the code was heavily obfuscated. This obfuscation makes it challenging for automated security tools and human reviewers alike to quickly identify the package’s true intent.
Original obfuscated malicious function within the “cipherbcryptors” packageAfter deobfuscation — malicious function within the “cipherbcryptors” package
Furthermore, the attacker employed an additional layer of security by not hardcoding the address of their command and control server within any of the packages. Instead, they used external resources to retrieve this information dynamically.
This technique not only makes static analysis of the code more difficult but also provides the attackers with the flexibility to change their infrastructure without needing to update the packages themselves.
By combining these various deceptive techniques — from package naming and detailed documentation to false popularity metrics and code obfuscation — the attacker created a sophisticated web of deception. This multi-layered approach significantly increased the chances of the malicious packages being downloaded and used, all while making detection and analysis more challenging.
Attack Flow
The execution of this attack diverged from the typical pattern seen in malicious packages. Rather than triggering malicious actions immediately upon installation, these packages lay dormant until specific functions were called. This approach significantly reduced the chances of detection by security tools that scan packages at installation time.
When a user attempted to use one of the advertised functions, the malicious code would activate. The process typically began with the package attempting to access the user’s cryptocurrency wallet data. For different wallet types, this involved targeting specific file locations or data structures known to contain sensitive information.
Once the wallet data was accessed, the malware would attempt to extract critical information such as private keys, mnemonic phrases, and potentially other sensitive data like transaction histories or wallet balances. This stolen data would then be prepared for exfiltration.
The exfiltration process involved encoding the stolen data and sending it to a remote server controlled by the attacker.
Impact
The consequences for victims could be severe and far-reaching. The most immediate and obvious impact is the potential for financial losses. With access to private keys and mnemonic phrases, attackers can swiftly drain cryptocurrency wallets. The irreversible nature of blockchain transactions means that once funds are stolen, recovery is nearly impossible. Beyond immediate financial theft, compromised wallet data can lead to ongoing vulnerability, as attackers may monitor and exploit the wallet over time.
The packages’ ability to fetch external code adds another layer of risk. This feature allows attackers to dynamically update and expand their malicious capabilities without updating the package itself. As a result, the impact could extend far beyond the initial theft, potentially introducing new threats or targeting additional assets over time.
Conclusion
This sophisticated supply chain attack on the Python ecosystem serves as another stark reminder of the ever-evolving threats in the open-source world. The cryptocurrency space, in particular, continues to be a prime target, with attackers constantly devising new and innovative methods to compromise valuable digital assets. This incident underscores the critical need for ongoing vigilance of the entire open-source community to remain alert and proactive in identifying and mitigating such threats. The attack’s complexity — from its deceptive packaging to its dynamic malicious capabilities and use of malicious dependencies — highlights the importance of comprehensive security measures and continuous monitoring.
As part of the Checkmarx Supply Chain Security solution, our research team continuously monitors suspicious activities in the open-source software ecosystem. We track and flag “signals” that may indicate foul play and promptly alert our customers to help protect them.
Checkmarx One customers are protected from this attack.
For over a year, a persistent malware campaign has been targeting Roblox developers through malicious NPM packages. By mimicking the popular “noblox.js” library, attackers have published dozens of packages designed to steal sensitive data and compromise systems. This campaign exploits trust in the open-source ecosystem, particularly targeting the Roblox platform, an attractive target due to its massive user base of over 70 million daily active users. Despite multiple package takedowns, new malicious packages continue to appear on the NPM registry at the time of publication, requiring developers to remain vigilant against this ongoing threat.
Key Points
Dozens of malicious npm packages mimicking the popular “noblox.js” library have been identified in a campaign dating back to August 2023, with the most recent ones appearing in late August 2024.
The attackers of this campaign have employed techniques including brandjacking, combosquatting, and starjacking to create a convincing illusion of legitimacy for their malicious packages.
The malware’s capabilities include Discord token theft, system information harvesting, system persistence, and deployment of additional payloads such as Quasar RAT.
The malware employs a sophisticated persistence technique by manipulating the Windows registry, causing it to execute every time a user opens the Windows Settings app.
While the identified malicious packages have been removed from npm, the attacker’s GitHub repository containing malicious executables remains active, posing a potential threat for future attacks.
Malware in Disguise: The Social Engineering Aspect
The attackers have employed a multi-faceted approach to craft an illusion of authenticity around their malicious packages.
One deceptive tactic combines brandjacking and combosquatting — two methods that fall under the broader category of typosquatting. This strategy creates the illusion that their packages are either extensions of or closely related to the legitimate “noblox.js” library.
For example: noblox.js-async, noblox.js-thread, and noblox.js-api.
Since libraries commonly have multiple versions or extensions for specific use cases, mimicking this naming pattern increases the likelihood that developers will install the attackers’ packages, assuming they’re official extensions of “noblox.js.”
Another tactic used is starjacking, a popular method attackers employ to fake their package stats. In this instance, the malicious packages were linked to the GitHub repository URL of the genuine “noblox.js” package. This tactic falsely inflates the perceived popularity and trustworthiness of the malicious packages.
The attackers also used tactics to disguise the malware within the package itself. They meticulously mimicked the structure of the legitimate “noblox.js” but introduced their malicious code in the “postinstall.js” file. They heavily obfuscated this code, even including nonsensical Chinese characters to deter easy analysis.
These combined techniques create a convincing façade of legitimacy, significantly increasing the chances of the malicious packages being installed and executed on developers’ systems. As reported in previous analyses by Socket, Stacklok and Reversinglabs, these tactics have been consistently employed and refined throughout the year-long campaign.
Attack Flow
The malicious code exploits NPM’s postinstall hook, ensuring automatic execution when the package is installed. This hook, designed for legitimate setup processes, becomes a gateway for running the obfuscated malware without the user’s knowledge or consent.
At first glance, the obfuscated code appears daunting and impenetrable. However, by simply using an online automated JavaScript deobfuscation tool, we were able to gain significant insight into the malicious code’s operation. This initial deobfuscation revealed the general steps the malware takes to achieve its objectives. Yet, the resulting code still contained confusing elements and required additional cleaning to fully comprehend its functionality. This process of incremental deobfuscation and analysis allowed us to piece together the complete attack flow, with its most notable details listed below.
Discord Token Theft
The malware searches for Discord authentication tokens in multiple locations.
The stolen tokens are then validated to ensure only active ones are exfiltrated.
Antivirus Evasion
The malware aggressively undermines the system’s security measures. It first targets Malwarebytes, attempting to stop its service if running. This is followed by a more comprehensive attack on Windows Defender: the script identifies all disk drives and adds them to Windows Defender’s exclusion list. This action effectively blinds Windows Defender to any file on the system. By disabling third-party antivirus and manipulating built-in Windows security, the malware creates an environment where it can operate freely, significantly increasing its potential for damage and persistence.
Additional Payload Deployment
The malware expands its capabilities by downloading two additional executables from the attacker’s GitHub repository. These files, “cmd.exe” and “Client-built.exe”, are fetched using base64-encoded URLs and saved to the “C:\WindowsApi” directory with randomized names. The malware uses a combination of “nodeapi_” prefix and a unique hexadecimal string, likely to help the malicious files blend in with legitimate system files.
Persistence Mechanism
To ensure long-term access, the malware manipulates a Windows registry key to ensure it runs consistently on the infected system.
Specifically, it adds the path of the downloaded “Client-built.exe” to the strategic registry location:
By modifying this key, the malware hijacks legitimate Windows functionality. As a result, whenever a user attempts to open the Windows Settings app, the system inadvertently executes the malware instead.
Data Exfiltration
Throughout its execution, the malware collects various types of sensitive information from the infected system. This data is packaged and sent to the attacker’s command and control server using a Discord webhook.
QuasarRAT Deployment
The final stage involves deploying QuasarRAT, a remote access tool that gives the attacker extensive control over the infected system.
The Attacker
The second-stage malware originates from an active GitHub repository: https://github.com/aspdasdksa2/callback. As of this writing, the repository remains accessible and potentially in use for distributing malware through other packages. The repository, owned by user “aspdasdksa2”, contains multiple malicious executables. The repository’s continued existence and its content suggest ongoing malware development and distribution.
Notably, the attacker maintains a second repository named “noblox-spoof”, which appears to house the latest malicious npm package content, directly referencing the target of this campaign.
The most recent malicious packages impersonating the popular noblox.js library (four packages published by user “bicholassancheck14” — noblox.js-async, noblox.js-threads, noblox.js-thread, and noblox.js-api) have been taken down after we promptly reported them to npm’s security team. While this is a positive development, it’s important to note that the threat is not entirely neutralized.
We strongly advise the developer community to remain vigilant. The attacker’s continued infrastructure presence and persistence pose an ongoing threat. Developers should exercise caution, particularly when working with packages that resemble popular libraries like noblox.js.
Conclusion
This malware campaign, targeting Roblox developers through npm packages, has persisted for over a year. By mimicking the popular “noblox.js” library, attackers published dozens of malicious packages designed to steal sensitive data and compromise systems.
Central to the malware’s effectiveness is its approach to persistence, leveraging the Windows Settings app to ensure sustained access.
The discovery of these malicious NPM packages serves as a stark reminder of the persistent threats facing the developer community. By masquerading as legitimate, helpful libraries, attackers continue to find new ways to exploit trust within the open-source ecosystem.
This campaign underscores the critical importance of thoroughly vetting packages before incorporation into projects. Developers must remain vigilant, verifying the authenticity of packages, especially those resembling popular libraries, to protect themselves and their users from such sophisticated supply chain attacks.
As part of the Checkmarx Supply Chain Security solution, our research team continuously monitors suspicious activities in the open-source software ecosystem. We track and flag “signals” that may indicate foul play and promptly alert our customers to help protect them.
Checkmarx One customers are protected from this attack.
In July 2024, the software supply chain security landscape faced unprecedented challenges, marked by sophisticated attacks from state-sponsored actors and organized cybercriminal groups. North Korean threat actors escalated their year-long campaign, targeting developers with malicious npm packages, while Iraq-based cybercriminals leveraged PyPI to distribute malware linked to an extensive underground operation. A complex attack exploiting StackExchange and PyPI resulted in significant cryptocurrency theft, and macOS developers using Google Cloud Platform fell victim to a stealthy malware campaign. Concurrently, a massive GitHub-based network for artificially inflating repository popularity was exposed, further compromising the integrity of open-source ecosystems. These incidents underscore the urgent need for enhanced security measures and vigilance across all facets of the software supply chain.
Let’s delve into some of the most striking events of July:
A sophisticated malware campaign targeting cryptocurrency users involved with Raydium and Solana platforms was uncovered. Attackers exploited StackExchange to direct users to malicious Python packages on PyPI, resulting in data exfiltration and cryptocurrency theft. The malware evaded detection by common security tools, highlighting vulnerabilities in modern EDR systems. (Link to report)
Tip of the Iceberg: Malicious Python Packages Reveal Extensive Cybercriminal Operation Based in Iraq
Investigation into malicious Python packages on PyPI led to the discovery of a large-scale cybercriminal operation based in Iraq. The operation, linked to a Telegram bot with over 90,000 messages, functioned as an underground marketplace for illicit services and was involved in financial theft and victim exploitation. (Link to report)
A Year-Long Campaign of North Korean Actors Targeting Developers via Malicious npm Packages
Throughout July 2024, North Korean threat actors escalated their ongoing campaign, publishing multiple malicious packages to the NPM registry. While the core malicious code structure remained consistent over the year-long operation, the attackers continuously refined their social engineering tactics. (Link to report)
Malicious Python Package Targets macOS Developers to Access Their GCP Accounts
A malicious Python package named “lr-utils-lib” was found targeting specific macOS systems to harvest Google Cloud authentication data. The package, masquerading as a legitimate library, automatically executed upon installation and sent stolen credentials to a remote server, potentially compromising developers’ GCP accounts. (Link to report)
GitHub Credibility Manipulation Network Exposed
A large-scale operation dubbed the “Stargazers Ghost Network” was uncovered by checkpoint, revealing a system of GitHub account manipulation. This network, comprising over 3,000 accounts, artificially inflates the popularity and perceived legitimacy of repositories through coordinated starring, forking, and watching activities. This discovery builds upon our previous investigation into the GitHub black market for inflating repository stars, demonstrating the evolving nature of platform manipulation tactics. The operation not only distorts repository metrics but also potentially masks the distribution of malicious content
Our team will continue to hunt, squash attacks, and remove malicious packages in our effort to keep the open-source ecosystem safe.
I encourage you to stay up to date with the latest trends and tactics in software supply chain security by tuning into our future posts and learning how to defend against potential threats.
July 2024 saw a surge in reports from multiple security firms detailing North Korean threat actors targeting developers through malicious npm packages. These reports highlight the continuation and intensification of a campaign that has been ongoing for close to a year now. While the core structure of the malicious code has remained remarkably similar throughout the campaign, the threat actors have been consistently evolving their social engineering tactics to increase their chances of compromising target systems.
Key Points
Multiple security firms reported North Korean threat actors publishing malicious npm packages throughout July 2024, indicating an intensification of an ongoing campaign.
Despite the campaign’s year-long duration, the structure of the malicious code within the packages has remained notably consistent.
The latest tactic involves mimicking trusted and popular npm packages with added malicious functionality, to make the package appear more legitimate and challenging to detect.
Our research team is actively tracking additional undisclosed packages linked to this campaign.
The campaign by North Korean threat actors to target developers through malicious npm packages has been ongoing since at least September 2023.
However, July 2024 saw an uptick in activity and subsequent reports from security firms including Phylum, Stacklok, and Datadog. These reports, along with our own ongoing research, provide a comprehensive view of the threat landscape and the persistent nature of this campaign.
Campaign timeline
Throughout the year-long campaign, North Korean threat actors have consistently published malicious packages on the npm registry.
Typically, when packages are removed by npm, they retain a placeholder on the registry containing the package’s name.
These NK malicious packages are often live for only a short period, sometimes just a few hours, before being unpublished by the attackers themselves. This swift self-removal appears to be a deliberate tactic to evade detection and potential removal by npm’s security measures. Notably, because the attackers unpublish the packages rather than having them removed by npm, no placeholder containing the package’s name is retained in the registry. This means that security researchers and developers searching for these packages on the npm registry will find no mention of them, effectively erasing their malicious history
Typical structure of the code
A key characteristic of this campaign has been the consistency in the structure of the malicious code within the packages.
Despite minor variations in file names, URLs, and decryption keys, the overall functionality and execution flow have remained largely unchanged. This consistency suggests that the attackers are relying on a proven technique, making only small modifications to evade detection.
While the malicious code structure has remained consistent, the social engineering tactics used to lure developers into downloading and installing these packages have continuously evolved. The threat actors have employed various methods, from creating fake job interviews to impersonating legitimate development workflows, each time adapting their approach to exploit the trust within the open-source community.
Typical execution flow
The typical execution flow of these packages includes checking the operating system (usually targeting Windows), downloading a file from a remote server, decrypting the file (often using XOR operation), executing the decrypted file (commonly using rundll32), and cleaning up traces of the attack.
In the most recent packages of this campaign the threat actors implemented an approach of mimicking legitimate packages by copying code from popular packages and then mixing malicious components into it. This tactic makes it more challenging to detect the malicious nature of the package at first glance.
CONCLUSION
The persistent and evolving campaign by North Korean threat actors targeting developers through malicious npm packages represents a significant and ongoing threat to the open-source ecosystem.
The surge of activity observed in July 2024 demonstrates that despite increased awareness and defensive measures, these actors remain undeterred and continue to adapt their tactics.
As part of the Checkmarx Supply Chain Security solution, our research team continuously monitors suspicious activities in the open-source software ecosystem. We track and flag “signals” that may indicate foul play and promptly alert our customers to help protect them.
A malicious campaign involving several python packages, most notably the “spl-types” Python package began on June 25th with the upload of an innocuous package to PyPI. This initial version, devoid of malicious content, was intended to establish credibility and avoid immediate detection. It was a wolf in sheep’s clothing, waiting for the right moment to reveal its true nature. The attacker’s patience paid off on July 3rd when they unleashed multiple malicious versions of the package. The heart of the malware was in the init.py file, obfuscated to evade casual inspection. Upon installation, this code would execute automatically, setting in motion a chain of events designed to compromise and control the victim’s systems, while also exfiltrating their data and draining their crypto wallets.
Key Findings
Multiple malicious Python packages were uploaded to PyPI, targeting cryptocurrency users involved with Raydium and Solana.
The attacker exploited StackExchange as their primary vector to direct people to their malicious package. They posted a seemingly helpful answer on a popular thread that referenced their malicious package, leveraging trust in community-driven platforms.
The multi-stage malware exfiltrated extensive sensitive data and facilitated the draining of victims’ crypto wallets
Windows Virus and Threat Protection failed to detect the active malware on a victim’s system, providing a real-world validation of our previous research demonstrating that modern EDR systems are ineffective against threats from malicious packages.
A backdoor component in the malware granted the attacker persistent remote access to victims’ systems, enabling potential future exploits and long-term compromises.
A Multi-Stage Assault
The initial payload acted as a springboard, reaching out to external resources to download and execute additional malicious scripts. These scripts formed the core of the operation, and meticulously scanned the victim’s system for valuable data. The malware cast a wide net, targeting an array of sensitive information — browser data was readily available, as the malware harvested saved passwords, cookies, browsing history, and even stored credit card information. Cryptocurrency wallets, including popular options like Exodus, Electrum, and Monero, were also prime targets. The attack didn’t stop there; it also sought out data from messaging applications such as Telegram, Signal, and Session. In a particularly invasive move, the malware captured screenshots of the victim’s system, providing the attacker with a visual snapshot of the user’s activities. It also scoured the system for files containing specific keywords related to cryptocurrencies and other sensitive information, including GitHub recovery codes and BitLocker keys. The final part of this digital heist involved compressing the stolen data and exfiltrating it to the attacker’s command and control server via several Telegram bots.
Also included in the malicious scripts was a backdoor that granted the attacker remote control over the victim’s system, allowing for ongoing access and potential future exploits.
One of the attacker’s telegram bots receiving screenshots and data from victims machines.
Profiling the victims & motives behind the attack
As we continued to follow this attack, a clear pattern emerged around the victims. What united them was not their profession or location, but their involvement with Raydium and Solana, two prominent players in the cryptocurrency space. This commonality suggests that the attacker had a specific target in mind.
The focus on users of these platforms indicates a level of strategic thinking on the part of the attacker. By targeting this specific group, they positioned themselves to potentially intercept or manipulate high-value transactions, pointing to clear financial motives behind the attack.
Delivery strategy of the malware
The attacker was strategic when thinking about how to deliver the malicious package to unsuspecting victims. Their approach was twofold: create a seemingly legitimate package and then lending it credibility through manipulative online engagement.
Step 1: Crafting a Deceptive Package
The first step involved creating a package that would raise minimal suspicion.
In screenshots from compromised systems, we observed victims using, or installing, a package named “Raydium”.
It’s crucial to note that while Raydium is a legitimate blockchain-related platform (an Automated Market Maker (AMM) and liquidity provider built on the Solana blockchain for the Serum Decentralized Exchange (DEX)), it does not have an official Python library.
Exploiting this gap, the attacker, used a separate username to publish a Python package named “Raydium” on PyPI.
The malicious packages of this campaign were dependencies within other seemingly legitimate packages.
This package included the malicious “spl-types” as a dependency, effectively disguising the threat within a seemingly relevant and legitimate package.
Step 2: Building Credibility and Ensuring Adoption
To lend credibility to this package and ensure its widespread adoption, the attacker scoured StackExchange, a popular Q&A platform similar to Stack Overflow, for highly viewed threads related to Raydium and Solana development. Upon identifying a suitable and popular thread, the attacker contributed what seemed to be a high-quality, detailed answer. This response, while ostensibly helpful, included references to their malicious “Raydium” package. By choosing a thread with high visibility — garnering thousands of views — the attacker maximized their potential reach.
Developers seeking solutions to Raydium-related questions would likely view the answer as credible and follow the suggestions with minimal suspicion.
This tactic underscores the importance of verifying the authenticity of packages, especially those recommended in forums by unknown individuals.
Case Studies and the personal impact
The impact of this attack goes beyond theory. Behind each compromised system is a real person, and their stories reveal the true cost of such breaches. There were many cases, but in this blog, let’s look at a couple notable ones that highlight different aspects of this attack:
Case Study 1
In one of the malware-captured screenshots, we observed clear personal details of a victim. Cross-referencing this information with LinkedIn allowed us to identify the individual, who happened to also be employed at a respected IT company. This discovery prompted us to take the step of reaching out to warn them about the breach. During our subsequent communication, we learned the victim’s entire Solana crypto wallet had been drained shortly after unknowingly downloading the malicious package. This case vividly illustrates how such attacks can have immediate and severe financial consequences for individuals.
Case Study 2
Bottom left: Screenshot of the victim’s screen. Top right: Windows Defender scan declaring in Dutch that the system is clear of threats after the scan. Top left: victim’s private key.
Another victim’s experience highlighted a critical weakness in current cybersecurity practices. A screenshot from their system showed a private key clearly visible — a goldmine for any attacker since these keys bypass any password or multi factor authentication active on the account that the private key is for.
In addition to that, and what made this image particularly alarming, was the Windows Virus and Threat Protection screen displayed alongside it, declaring that a scan had just been completed and that the system was clear of threats.
The revelation that Windows Virus and Threat Protection failed to detect the threat during active data exfiltration is particularly concerning. It emphasizes a critical blind spot in traditional security measures when it comes to malicious activities initiated through package managers. This failure of detection occurred not just before or after the attack, but during the very moment the malware was active and stealing data.
This incident provides a real-world example of how Endpoint Detection and Response (EDR) systems can fall short in stopping malicious package activity or sending relevant alerts.
Moreover, even if the malicious package is later taken down from the repository and not publicly declared as malicious, EDR systems typically won’t flag the package as vulnerable if it remains installed
on a user’s system. This leaves users potentially exposed to ongoing threats from previously downloaded malicious packages.
PyPi for example, to this day, completely eliminates all traces of a package, leaving no placeholders behind. Although malicious usernames often remain, they appear without any associated malicious packages. Consequently, anyone who encounters these malicious usernames may be unaware of the user’s history of uploading malicious packages.
The “spl-types” malware incident is more than just another data breach. It serves as a stark reminder of the cost of cybersecurity failures and the ongoing challenges we face in securing the software supply chain.
This incident’s impact extends beyond individual users to enterprises. A single compromised developer can inadvertently introduce vulnerabilities into an entire company’s software ecosystem, potentially affecting the whole corporate network.
This attack serves as a wake-up call for both individuals and organizations to reassess their security strategies. Relying solely on traditional security measures is not sufficient. A more comprehensive approach is needed, one that includes rigorous vetting of third-party packages, continuous monitoring of development environments, and fostering a culture of security awareness among developers.
As part of the Checkmarx Supply Chain Security solution, our research team continuously monitors suspicious activities in the open-source software ecosystem. We track and flag “signals” that may indicate foul play and promptly alert our customers to help protect them.
The fight against such sophisticated threats is ongoing, and as we gather more insights into the attacker’s methods and infrastructure, we will continue to share our findings with the community. Together, we can work towards a safer digital future for all.
In a recent investigation, we discovered that the Python package, “lr-utils-lib”, contained hidden malicious code. The code, activated upon installation, targets macOS systems and attempts to steal Google Cloud Platform credentials by sending them to a remote server. Additionally, we discovered a link to a fake LinkedIn profile for “Lucid Zenith,” who falsely claimed to be the CEO of Apex Companies, LLC, indicating possible social engineering tactics. Alarmingly, AI search engines, like Perplexity, inconsistently verified this false information, highlighting significant cybersecurity challenges in the digital age.
Key Points
A package called “lr-utils-lib” was uploaded to PyPi in early June 2024, containing malicious code that executes automatically upon installation.
The malware uses a list of predefined hashes to target specific macOS machines and attempts to harvest Google Cloud authentication data.
The harvested credentials are sent to a remote server.
Attack Flow
The malicious code is located within the setup.py file of the python package, which allows it to execute automatically upon installation.
This is the simplified code version, as the original was obfuscated.
Upon activation, the malware first verifies that it’s operating on a macOS system, its primary target. It then proceeds to retrieve the IOPlatformUUID of the Mac device (a unique identifier) and hashes it using the SHA-256 algorithm.
This resulting hash is then compared against a predefined list of 64 MAC UUID hashes, indicating a highly targeted attack strategy, and suggesting the attackers have prior knowledge of their intended victims’ systems.
If a match is found in the hash list, the malware’s data exfiltration process begins. It attempts to access two critical files within the ~/.config/gcloud directory: application_default_credentials.json and credentials.db. These files typically contain sensitive Google Cloud authentication data. The malware then attempts to transmit the contents of these files via HTTPS POST requests to a remote server identified as europe-west2-workload-422915[.]cloudfunctions[.]net.
This data exfiltration, if successful, could provide the attackers with unauthorized access to the victim’s Google Cloud resources.
CEO Impersonation
The social engineering aspect of this attack, while not definitively linked to the malware itself, presents an interesting dimension. A LinkedIn profile was discovered under the name “Lucid Zenith”, matching the name of the package owner. This profile falsely claims that Lucid Zenith is the CEO of Apex Companies, LLC. The existence of this profile raises questions about potential social engineering tactics that could be employed alongside the malware.
We queried various AI-powered search engines and chatbots to learn more about Lucid Zenith’s position. What we found was a variety of inconsistent responses. One AI-powered search engine, “Perplexity”, incorrectly confirmed the false information, without mentioning the real CEO.
This response was pretty consistent even with various phrasings of the question.
This was quite shocking since the AI-powered search engine could have easily confirmed the fact by checking the official company page, or even noticing that there were two LinkedIn profiles claiming the same title.
Other AI platforms, to their credit, when repeatedly questioned about Lucid Zenith’s role, correctly stated that he was not the CEO and provided the name of the actual CEO. This discrepancy underscores the variability in AI-generated responses and the potential risks of over-relying on a single AI source for verification. It serves as a reminder that AI systems can sometimes propagate incorrect information, highlighting the importance of cross-referencing multiple sources and maintaining a critical approach when using AI-powered tools for information gathering.
Whether this manipulation was deliberate by the attacker, highlights a vulnerability in the current state of AI-powered information retrieval and verification systems that nefarious actors could potentially use to their advantage, for instance enhancing credibility and delivery of malicious packages.
Conclusion
The analysis of the malicious “lr-utils-lib” Python package, reveals a deliberate attempt to harvest and exfiltrate Google Cloud credentials from macOS users. This behavior underscores the critical need for rigorous security practices when using third-party packages. Users should ensure they are installing packages from trusted sources and verify the contents of the setup scripts. The associated fake LinkedIn profile and inconsistent handling of this false information by AI-powered search engines highlight broader cybersecurity concerns. This incident serves as a reminder of the limitations of AI-powered tools for information verification, drawing parallels to issues like package hallucinations. It underscores the critical need for strict vetting processes, multi-source verification, and fostering a culture of critical thinking.
While it is not clear whether this attack targeted individuals or enterprises, these kinds of attacks can significantly impact enterprises. While the initial compromise usually occurs on an individual developer’s machine, the implications for enterprises can be substantial. For instance, if a developer within an enterprise unknowingly uses a compromised package, it could introduce vulnerabilities into the company’s software projects. This could lead to unauthorized access, data breaches, and other security issues, affecting the organization’s cybersecurity posture and potentially causing financial and reputational damage.
As part of the Checkmarx Supply Chain Security solution, our research team continuously monitors suspicious activities in the open-source software ecosystem. We track and flag “signals” that may indicate foul play and promptly alert our customers to help protect them.
Checkmarx One customers are protected from this attack.
Tip of the Iceberg: Malicious Python Packages Reveal Extensive Cybercriminal Operation Based in Iraq
Recently, a series of malicious Python packages surfaced on PyPI, uploaded by a user named “dsfsdfds”. These packages contained a malicious script located within the __init__.py file.
Key Points
Recently, malicious Python packages — uploaded to PyPI by user “dsfsdfds” — were found to be exfiltrating sensitive user data without consent, to a Telegram chat bot.
The Telegram bot is linked to multiple cybercriminal operations based in Iraq. The bot has activity dating back to 2022 and contains over 90,000 messages, mostly in Arabic.
The bot functions also as an underground marketplace offering social media manipulation services. It has been linked to financial theft and exploits victims by exfiltrating their data.
Initially, the malicious packages incident, appeared isolated. However, it is part of a larger, sophisticated cybercriminal ecosystem, emphasizing the importance of thorough investigation and collaboration within the cybersecurity community.
Attack Flow
The malicious script follows a systematic approach to compromise the victim’s system and exfiltrate sensitive data. It begins by scanning the user’s file system and focusing on two specific locations: the root folder and the DCIM folder. The script searches for files during the scanning process, with extensions such as .py, .php, and .zip files, as well as photos with .png, .jpg, and .jpeg extensions.
Once identified, the script sends their file paths, along with the actual files and photos, to the attackers Telegram bot. This all occurs without the end-user’s knowledge or consent.
The following code snippet demonstrates the core functionality of the malicious script:
The inclusion of hardcoded sensitive information, such as the bot token and chat ID, allowed us to gain further valuable insights into the attacker’s infrastructure and operations.
Additional Insights
Further analysis of the Telegram bot to which the exfiltrated data was being sent uncovered additional findings.
The hardcoded “chat_id” and “bot_token” present in the malicious packages allowed us to gain direct access to the attacker’s Telegram bot and monitor its activities. This technique (outlined here) proved to be a valuable tool in understanding the scope and nature of the attack.
This Telegram bot exhibited a significant history of activity. It had records dating back to at least 2022 — long before the malicious packages were released on PyPI, and contained over 90,000 messages.
The messages were primarily in Arabic. Further investigation with GitHub’s “TeleTracker” revealed that the bot operator maintained numerous other bots and was likely based in Iraq.
Initially, the bot appeared to function as a typical underground marketplace, offering various illicit services such as: purchasing Telegram and Instagram views, followers, spam services, and discounted Netflix memberships.
Part of the bot message history, displaying underground market activities
However, upon further examination of the bot’s message history, we found evidence of more sinister activities that appeared to be involved in financial theft. Additional messages suggested they were sent from systems compromised by the harmful Python packages.
Part of the bot message history, displaying evidence of success from the malicious python packages campaign
The discovery of this elaborate Telegram-based cybercriminal operation underscores the importance of thorough and persistent investigation when researching the true extent of such attacks. Especially since the initial malicious packages served as a mere entry point to a much larger criminal ecosystem.
CONCLUSION
The discovery of the malicious Python packages on PyPI and the subsequent investigation into the Telegram bot have shed light on a sophisticated and widespread cybercriminal operation. What initially appeared to be an isolated incident of malicious packages turned out to be just the tip of the iceberg, revealing a well-established criminal ecosystem based in Iraq.
This particular attack vector is not limited to end-users and can indeed impact enterprises as well. While the initial compromise might occur on an individual developer’s machine, the implications for enterprises can be significant. For instance, if a developer within an enterprise unknowingly uses a compromised package, it could introduce vulnerabilities into the company’s software projects.
As the fight against malicious actors in the open source ecosystem persists, collaboration and information sharing among the security community will be critical in identifying and stopping these attacks. Through collective effort and proactive measures, we can work towards a safer and more secure open source ecosystem for all. Our research team is continuously investigating this attack to gain additional insights into the attacker’s modus operandi and will share further findings with the community as they emerge.
As part of the Checkmarx Supply Chain Security solution, our research team continuously monitors suspicious activities in the open-source software ecosystem. We track and flag “signals” that may indicate foul play and promptly alert our customers to help protect them.
Checkmarx One customers are protected from this attack.
Alert: CDN Service “polyfill.io” Used by 100K+ Websites Provided Malicious Code in Responses — Do Not Use It Anymore!
It’s not uncommon for things like domains and open-source projects to change hands. While many such transitions occur without incident, the recent case of Polyfill.io serves as a stark reminder of the inherent risks.
Key Points
Polyfill.io, is a service used by over 100,000 websites, providing polyfill javascript code for backward compatibility for older browsers.
This service recently switched owners and was sold to a Chinese company, Funnull, in February 2024.
The new owners modified Polyfill.io service to silently inject malicious code.
This attack employs evasion techniques and apparently focuses on attacking mobile devices.
This attack is NOT affecting the popular NPM package polyfill. If you’re using the NPM package directly and not cdn.polyfill.io, you're on the safe side.
We advise not using the NPM package polyfill-service because of the new owners’ low reputation.
Pollyfill.io — What do you need to know?
From Popular and Trusted Service to Trojan Horse
Polyfill.io, a service utilized by over 100,000 websites, enables modern JavaScript features to function seamlessly across older browsers. However, this widely trusted tool has recently become the epicenter of a significant supply chain attack, affecting its vast user base and beyond.
The sequence of events unfolded in February 2024 when the polyfill.io domain was acquired by Funnull, a Chinese company. This transaction immediately raised red flags among security experts, including Andrew Betts, the original developer of the Polyfill project. Betts swiftly cautioned the community against using the service, anticipating potential security vulnerabilities.
These concerns were validated when security researchers uncovered that the new owners had modified the script served by cdn.polyfill.io to inject malicious code. This transformation turned the once-reliable and trusted service into a vehicle for supply chain attacks.
Websites using the compromised cdn.polyfill.io unknowingly served this malicious code to their visitors.
The Anatomy of the Attack
At the heart of this security breach is malicious JavaScript code, injected directly through the compromised cdn.polyfill.io domain. When a website includes a script tag pointing to cdn.polyfill.io, it unknowingly pulls in this malicious code, executing it in users’ browsers.
Not A Malicious Package
It’s crucial to distinguish this attack from vulnerabilities in NPM packages, as this is not related to the polyfill NPM package or open-source software packages generally. While packages such as NPM packages are downloaded and installed locally in a project’s dependencies, this malicious code is served dynamically from the CDN each time a page loads. This means that even if a developer’s local environment and code repository are secure, the live website could still be serving malicious code to end users.
The Malicious Code
The attack utilizes dynamic payload generation, creating customized malicious content based on HTTP headers. This allows it to adapt its behavior to different environments, making it more difficult to identify and mitigate. Furthermore, the code is selective in its activation, targeting specific mobile devices.
To further evade discovery, the malicious code incorporates several evasion techniques. It avoids execution when it detects admin users or the presence of web analytics services. The code also employs delayed execution, postponing its actions to reduce the likelihood of being caught by immediate security scans.
Adding another layer of complexity, the entire malicious payload is obfuscated, making it more challenging to analyze its full capabilities.
In some instances, the attack introduces a fake Google Analytics script. Users receive tampered JavaScript files that include a link to “https://www.googie-anaiytics.com/gtags.js" (note the misspelling of “analytics”). This fraudulent script was found to redirect users to various malicious sites, including sports betting and pornographic websites, apparently based on the user’s geographic location.
While the current known actions of the malicious code are primarily focused on redirects, the nature of JavaScript means that the attack could evolve at any moment. Potential future threats include formjacking, where data from online forms could be stolen; clickjacking, which tricks users into clicking on disguised elements; and broader data theft, involving the collection and exfiltration of user information.
Industry Giants Respond
In response to the attack, major players in the tech industry have taken action. Cloudflare and Fastly set up their own mirrors of the Polyfill.io service to provide a trusted alternative, and Google has begun notifying advertisers whose landing pages include the compromised code, warning of potential ad disapprovals due to unwanted redirects.
Conclusion
We advise not using the NPM package polyfill-service because of the new owners’ low reputation even though latest release to this day is clean from malicious code.
The Polyfill.io supply chain attack serves as another wake-up call for the web development community, highlighting the vulnerabilities that can arise when widely-used services change hands. In response, website owners and developers should take immediate action: remove all references to cdn.polyfill.io, consider trusted alternatives like Cloudflare or Fastly mirrors, and evaluate self-hosting options.
This incident also underscores the importance of regularly auditing third-party dependencies, staying informed about ownership changes in critical services, and developing contingency plans for rapid migration.
In December 2023, we reported on how North Korean threat actors, particularly Jade Sleet, have been compromising supply chains through the open-source ecosystem, with one of their key tactics being the exploitation of the public npm registry to distribute malicious packages. Despite the increased exposure and attention brought to this issue by our research and that of others in the field, it is evident that these attackers remain undeterred.
Throughout the first and even second quarter of 2024, we observed the continued publication of malicious packages on NPM, bearing striking similarities to those detailed in our previous blog post. Initially, we believed these packages to be a continuation of Jade Sleet’s campaign in late spring and early summer of 2023. However, new information came to light, making it apparent that a new threat actor was emerging on the scene.
Key Points
Moonstone Sleet, a newly identified North Korean threat actor, has entered the scene, targeting the open-source software supply chain with tactics similar to other well-known North Korean groups.
Among Moonstone Sleet’s key tactics is the distribution of malware through malicious NPM packages, which are published on the public NPM registry, exposing a wide range of developers to potential compromise.
The ongoing activities of Moonstone Sleet, Jade Sleet, and other North Korean state-sponsored actors underscore the constant threat to the open-source ecosystem.
Recent Developments:
In a recent publication, Microsoft shed light on a new rising North Korean threat actor named Moonstone Sleet, which employs various tactics, techniques, and procedures (TTPs) to target companies for financial gain and cyberespionage. With much of These TTPs utilized by Moonstone Sleet closely resemble those employed by other North Korean threat actors
A number of IOCs shared in Microsoft’s blog closely resemble those mentioned in our December blog post and recent publications by Phylum. showing that, in addition to delivering malicious npm packages through freelancing websites and platforms like LinkedIn, Moonstone Sleet has also been attempting to spread their malicious packages through the public npm registry.
This tactic allows them to potentially reach a wider audience and increases the likelihood of their malicious packages being installed by unsuspecting developers.
Differences in Code Style and Structure
The malicious npm packages discovered during the apring and early summer of 2023, affiliated with Jade Sleet, and those found in late 2023 to early 2024, containing IOCs linking them to the Moonstone Sleet group, exhibit distinct code style and structure differences. These differences offer interesting insights into the varying strategies used by different groups when targeting the open-source software supply chain.
Packages attributed to Jade Sleet
Jade Sleet’s packages, discovered throughout summer 2023, were designed to work in pairs, with each pair being published by a separate npm user account to distribute their malicious functionality. This approach was used in an attempt to make it more challenging to detect and trace the malicious activity back to a single source.
The first package in the pair was responsible for creating a directory on the victim’s machine, fetching updates from a remote server, and saving them in a file within the newly created directory. This package laid the groundwork for the second package to execute its malicious payload.
Code of the first package in the pair
The second package, upon execution, would read a token from the file created by the first package. It would then make a request to a specific URL, passing the token as a parameter. The response from this request, likely containing additional malicious code, would be written to another file on the victim’s machine. Finally, the second package would immediately execute this newly written file as a Node.js script, unleashing the full extent of the malicious functionality.
Code of second package in pair
Packages attributed to Moonstone Sleet
In contrast, the packages published throughout late 2023 and early 2024 adopted a more streamlined single-package approach which would execute its payload immediately upon installation.
The malicious payload was encoded within string constants and included OS-specific code, executing only if it detected that it was running on a Windows machine.
Packages published in the last quarter of 2023 and the first quarter of 2024 shared significant similarities, with only minor variations in file names, URLs, and decryption keys.
Despite these minor changes, the malicious payload’s overall structure and functionality remain largely the same, indicating that the attackers are relying on a proven technique while making small modifications to evade detection:
Malicious Payload Execution:
The malicious payload downloads a file from a remote server, decrypts it using a byte-wise XOR operation, renames the decrypted file, and executes it using rundll32. It then cleans up by deleting the temporary files and replacing the malicious package.json with a clean version.
Overall structure of malicious code
Changes in the Attack Flow in Second Quarter of 2024 In the second quarter of 2024, the packages increased in complexity, with the attackers adding obfuscation and having it target Linux systems as well. The following code would be executed if the OS was detected as Linux:
For a more detailed explanation of how the various packages operate, you can refer to our past publications.
The frequent publication of malicious packages on npm by North Korean threat actors underscores the persistent nature of their campaign. By continually adapting their tactics and techniques, they aim to evade detection and enhance their odds of breaching targeted systems.
With the revelation of this new North Korean group, coupled with the recent attacks by Russian and North Korean threat actors and the recent high-profile XZ attack, it has become increasingly apparent that the open-source ecosystem has become a prime target for powerful and sophisticated adversaries. And while the open-source community plays a crucial role in maintaining the security and integrity of the ecosystem, the primary responsibility for ensuring the safety of the software supply chain lies with the companies that consume these packages.
As the fight against malicious actors in the open-source ecosystem persists, collaboration and information sharing among the security community will be critical in identifying and thwarting these attacks. Through collective effort and proactive measures, we can work towards a safer and more secure open-source ecosystem for all.
Instant Breach: Malicious Package Compromise — Victim vs Attacker’s POV
Open-source packages are an indispensable tool for developers. However, the convenience they offer comes with a significant risk: the potential for instant breaches through malicious packages.
Consuming a malicious open-source package is equivalent to an instant breach. No current update strategy can match the speed at which these packages can compromise your systems.
In contrast to vulnerable packages, which pose a passive risk due to coding errors or oversights and only have potential impacts if exploited, malicious packages represent an active, immediate risk. They are designed with harmful intentions, such as stealing sensitive data and deploying backdoors and keyloggers, just to name a few.
Developers installing these malicious packages are often unaware that their systems have been compromised.
The following video demonstrates the simplicity of falling victim to a malicious package. In this example, the attacker infected the victim with a keylogger which automatically sends all keystrokes to the attacker via a webhook:
Unfortunately, current application security controls often focus on known Common Vulnerabilities and Exposures (CVEs). Since malicious packages very rarely receive CVEs, this leaves organizations vulnerable to attacks.
Even Endpoint Detection and Response (EDR) systems are unable to stop malicious package activity or send relevant alerts. Attackers are well aware of this weakness, which is why we are seeing a massive spike in targeted open-source supply chain attacks.
Conclusion
To fortify our defenses against these relentless cyber threats, our goal should be clear: prevent malicious packages from ever penetrating our Software Development Lifecycle (SDLC). The best approach is to screen open-source packages for malware before allowing them into the network.
By proactively addressing this risk, we can protect our systems and data from the instant breaches caused by malicious packages.
As part of the Checkmarx Supply Chain Security solution, our research team continuously monitors suspicious activities in the open-source software ecosystem. We track and flag “signals” that may indicate foul play and promptly alert our customers to help protect them.
In a recent attack campaign, cybercriminals were discovered cleverly manipulating GitHub’s search functionality, and using meticulously crafted repositories to distribute malware.
Key points
GitHub search manipulation: Attackers create malicious repositories with popular names and topics, using techniques like automated updates and fake stars to boost search rankings and deceive users.
Malicious code is often hidden within Visual Studio project files (.csproj or .vcxproj) to evade detection, automatically executing when the project is built.
The attacker had set up the stage to modify the payload based on the victim’s origin, checking specifically if the victim is based in Russia. At this point, we don’t see this ability activated.
The recent malware campaign involves a large, padded executable file that shares similarities with the “Keyzetsu clipper” malware, targeting cryptocurrency wallets.
The malware establishes persistence on infected Windows machines by creating a scheduled task that runs the malicious executable daily at 4AM without user confirmation.
Developers should be cautious when using code from public repositories and watch for suspicious repository properties, such as high commit frequencies and stargazers with recently created accounts.
Exploiting GitHub’s Search Functionality:
Our recent findings reveal a threat actor creating GitHub repositories with names and topics that are likely to be searched by unsuspecting users. These repositories are cleverly disguised as legitimate projects, often related to popular games, cheats, or tools, making it difficult for users to distinguish them from benign code.
To ensure maximum visibility, the attackers employ a couple of clever techniques that consistently place their malicious repositories at the top of GitHub search results.
Automatic updates
By leveraging GitHub Actions, the attackers automatically update the repositories at a very high frequency by modifying a file, usually called “log”, with the current date and time or just some random small change. This continuous activity artificially boosts the repositories’ visibility, especially for instances where users filter their results by “most recently updated,” increasing the likelihood of unsuspecting users finding and accessing them.
Faking Popularity
While automatic updates help, the attackers combine another technique to amplify the effectiveness of their repo making it to the top results.
The attackers employed multiple fake accounts to add bogus stars, creating an illusion of popularity and trustworthiness. This artificially boosts the repositories’ visibility further, especially for instances where users filter their results by “most stars.”
In contrast to past incidents where attackers were found to add hundreds or thousands of stars to their repos, it appears that in these cases, the attackers opted for a more modest number of stars, probably to avoid raising suspicion with an exaggerated number.
Many of the stargazers are created on the same date. A red flag for fake accounts.
This social engineering technique is designed to manipulate users into believing that the repository is widely used and reliable, preying on the inherent trust users place in highly-starred repositories.
Unsuspecting users, often drawn to the top search results and repositories with seemingly positive engagement, are more likely to click on these malicious repositories and use the code or tools they provide, unaware of the hidden dangers lurking within.
For a deeper dive into the tactic of fake stars, check out our recent blog that explores this manipulation technique in greater detail.
Hidden Malware in Project Files:
The attackers conceal their malware primarily as obfuscated code deep within the .csproj or .vcxproj files of the repository (files commonly used in Visual Studio projects) to decrease the chances of the average user detecting it unless they proactively search for suspicious elements.
However, it’s worth noting that there have been a small number of other detected repos that contained different malware within other files.
The malicious script is embedded within a pre-build event of a Visual Studio project file (.vcxproj) and is designed to be executed automatically during the build process. The script consists of two main parts:
A batch script that sets up the environment and executes a VBScript file.
2. A base64-encoded PowerShell script that is decoded and executed by the VBScript file.
The batch script creates a temporary directory, generates a VBScript file, and decodes the base64-encoded PowerShell script. It then executes the decoded PowerShell script and cleans up the temporary files.
The decoded PowerShell script performs the following malicious actions:
1. Retrieves the country code of the machine’s IP address, determining whether the machine is based in Russia.
2. Downloads content from specific URLs based on the country code (content is continuously updated by the attacker)
3. Downloads encrypted files from each URL, extracts them with a predefined password, and executes the extracted files.
The script also employs error handling to silently catch exceptions and continue execution.
Active Campaign
On April 3rd, the attacker updated the malicious code within one of their repositories, pointing to a new URL that downloads a different encrypted .7z file containing an executable named feedbackAPI.exe.
The attacker had padded the executable with many zeros, a technique used to artificially boost the file size. Due to this padding, the file size exceeded the threshold of many security solutions, VirusTotal being a notable one, preventing the possibility of it from being scanned. According to VirusTotal’s documentation,
“If the file to be uploaded is bigger than 32MB, please use the /private/files/upload_url endpoint instead which admits files up to 650MB.”
The padded feedbackAPI.exe file was 750MB in size, exceeding even the increased limit for the alternative endpoint.
The results of our analysis of this malware suggest that the malware contains similarities to the “Keyzetsu clipper” malware, a relatively new addition to the growing list of crypto wallet clippers commonly distributed through pirated software.
This executable file also attempts to create persistence on Windows machines. It achieves this by creating a shortcut to the exe file and then establishing a daily scheduled task named “Feedback_API_VS_Services_Client” that executes the shortcut at 4AM. Notably, this task is created without any confirmation prompts, making it stealthier and more likely to go unnoticed by unsuspecting users.
Indicators of Successful Exploitation
Evidence indicates that the attackers’ campaign has successfully deceived unsuspecting users. Numerous malicious repositories have received complaints through Issues and pull requests from users who experienced problems after downloading and using the code.
Conclusion:
The use of malicious GitHub repositories to distribute malware is an ongoing trend that poses a significant threat to the open-source ecosystem. By exploiting GitHub’s search functionality and manipulating repository properties, attackers can lure unsuspecting users into downloading and executing malicious code.
To prevent falling victim to similar attacks, it is recommended to keep an eye on the following suspicious properties of a repo:
1. Commit frequency: Does the repo have an extraordinary number of commits relative to its age? Are these commits changing the same file with very minor changes?
2. Stargazers: Who is starring this repo? Do most of the stargazers appear to have had accounts created around the same time?
By being aware of these red flags, users can better protect themselves from inadvertently downloading and executing malware.
In the aftermath of the XZ attack and many other recent incidents, it would be irresponsible for developers to rely solely on reputation as a metric when using open source code. A developer who blindly takes code also blindly takes responsibility for that code. These incidents highlight the necessity for manual code reviews or the use of specialized tools that perform thorough code inspections for malware. Merely checking for known vulnerabilities is insufficient.
As part of Checkmarx’s commitment to supply chain security, our research team continuously monitors and detects suspicious activities in the open-source software ecosystem. We track and flag potential indicators of malicious behavior and promptly alert our customers and the community to help protect them from these evolving threats.
Working together to keep the open source ecosystem safe.
In March 2024, the software supply chain faced unprecedented threats, including one of the most advanced supply chain attacks known to date, where an advanced persistent threat actor hid a backdoor in a software package used in many Linux distributions. The Python ecosystem also found itself the target of numerous abuses, while the continued misuse of GitHub repositories for malware distribution persisted. Additionally, Tornado Cash, a decentralized privacy solution and cryptocurrency mixer on the Ethereum blockchain, fell victim to a stealthy attack.
Let’s delve into some of the most striking events of March:
Backdoor Discovered in xz: The Most Advanced Supply Chain Attack Known to Date
In what is probably one of the biggest, most advanced supply chain attacks in recent years was discovered accidentally on Friday 30th of March. The xz project, a tool used by many Linux distributions for compressing files, was compromised by a malicious actor who gradually took over the project and inserted a backdoor, allowing the attackers unauthorized access on systems that have the compromised versions installed. (report)
Over 170K Users Affected by Attack Using Fake Python Infrastructure
A software supply chain attack campaign, involving multiple TTPs, was launched by an attacker. The attacker created malicious open-source tools with clickbait descriptions and distributed a malicious dependency through a fake Python infrastructure, linking it to hijacked popular GitHub projects and legitimate Python packages. Among the victims of this attack was the Top.gg GitHub organization (a community of over 170k users) and several individual developers. The multi-stage malicious payload harvests sensitive and valuable data from infected systems and exfiltrates them to the attacker’s infrastructure. (report)
PyPi Is Under Attack: Project Creation and User Registration Suspended
On Mar 28, 2024–02:16 UTC, the Python Package Index (PyPi) suspended new project creation and new user registration to mitigate an ongoing malware upload campaign. (report)
Tornado Cash Theft Uncovered: Stealthy Attack Quietly Drains Funds from Decentralized Finance Platform for Months
The open-source codebase of Tornado Cash, a decentralized privacy solution and cryptocurrency mixer on the Ethereum blockchain, was compromised by a malicious developer. The attacker secretly embedded malicious JavaScript code within the project’s user interface, which captured and sent users’ private deposit notes to an unauthorized external server. (report)
GitHub Repos used for Distributing Malware
A report that delves into the escalating issue of malware distribution on GitHub, and underscores the diverse methods cybercriminals employ, ranging from attacks on legitimate repositories and social engineering to exploiting GitHub actions. (report)
Our team will continue to hunt, squash attacks, and remove malicious packages in our effort to keep the open-source ecosystem safe.
I encourage you to stay up to date with the latest trends and tactics in software supply chain security by tuning into our future posts and learning how to defend against potential threats.
The xz project, a tool used by many Linux distributions for compressing files, was compromised by a malicious actor who gradually took over the project and inserted a backdoor.
The attack, discovered accidently on March 29, 2024, by a developer named Andres Freund, during performance testing, was carried out over several years by the GitHub account Jia Tan (JiaT75), who gained the trust of the long-time maintainer of the xz project and eventually replaced them as the main point of contact.
The backdoor was added in versions 5.6.0 and 5.6.1 of xz Utils, a software package that includes the xz library. This backdoor allows attackers unauthorized access on systems that have the compromised versions installed.
The impact of this backdoor is significant because of xz’s use in many systems around the world, including popular Linux distributions like Red Hat and Debian.
In this blog post, we will provide a timeline of the events, look at the key people involved, and discuss what this incident means for the open-source community and the importance of maintaining the security and integrity of widely-used software libraries.
Key Findings
xz, a widely-used compression library, was compromised with a backdoor (CVE-2024–3094) that allows for unauthorized access on systems with compromised versions (5.6.0 and 5.6.1) installed.
The attack was carried out over several years by a user named Jia Tan (JiaT75), who gradually gained maintainer status after continuous pressure from unknown accounts on the long-time maintainer, Lasse Collin, to add a new maintainer and approve Jia Tan’s patch.
The widespread use of xz in Linux distributions makes the impact of the backdoor significant.
The backdoor was accidentally discovered on March 29, 2024, by the developer Andres Freund.
Gaining Reputation Over Time
The xz compression library, a widely-used tool for compressing files, found across Linux distributions, community projects, and commercial products, was compromised by a malicious actor named Jia Tan (JiaT75) who gradually and patiently gained maintainer status in order to pull off the attack, ultimately introducing a backdoor identified as CVE-2024–3094.
The attack began in 2021 when Jia Tan created their GitHub account and began using it for various activities.
In April 2022, Jia Tan submitted a patch to the xz project via a mailing list. Soon after, unknown accounts, including one named Jigar Kumar and another named Dennis Ens , began pressuring the long-time maintainer of xz, Lasse Collin, to merge the patch and add a new maintainer to the project. Lasse Collin, who had limited availability to take care for the project, eventually agreed to add Jia Tan as a maintainer. A decision that is in fact not unusual in the open-source community, where maintainers often hand off projects to others due to various reasons.
Over the next two years, Jia Tan became a regular contributor to the xz project, gaining trust within the community.
By March 2023, Jia Tan had become the primary contact for xz in Google’s oss-fuzz, a platform for finding vulnerabilities in open-source software.
Most Sophisticated Supply Chain Attack We Know
The backdoor itself was introduced in versions 5.6.0 and 5.6.1 of xz Utils, a software package that includes the xz library. The malicious code allows attackers unauthorized access by infecting the SSH on systems with the compromised versions installed, making it a significant threat to users of the library.
A Discovery
The backdoor was accidentally discovered on March 29, 2024, by Andres Freund during routine performance testing. Freund noticed unusual CPU usage in the sshd process, which led him to investigate further and uncover the malicious code. This accidental discovery, the backdoor could have gone unnoticed for a longer period, effecting a large part of the open source ecosystem.
The impact of the backdoor could have had particularly severe consequences due to the widespread use of xz in compressing critical software components, including popular Linux distributions like Red Hat and Debian. Many systems worldwide rely on xz for compressing and decompressing files, making the potential reach of the backdoor extensive.
Advanced Persistent Threat
The involvement of multiple identities. The complexity of the payload, and the high level of technical expertise required, along with the patience and persistence shown in gradually gaining trust within the xz community over several years before introducing the backdoor. All these are consistent with the capabilities of nation-state actors and are qualities of advanced persistent threats (APTs).
This incident is part of a growing and alarming trend of advanced persistent threats (APTs) targeting critical open-source projects.
Conclusion
The xz compromise highlights the urgent need for the open-source community to improve its security practices and tools to prevent similar attacks in the future. Collaboration, transparency, and shared responsibility are essential to detecting and mitigating advanced persistent threats (APTs) targeting critical open-source projects.
We, the community must develop more effective strategies, to strengthen the security of open-source software. By learning from this incident and taking proactive measures, the open-source community can build a more resilient and trustworthy ecosystem, ensuring the long-term success and integrity of open-source projects in the face of ever-evolving cybersecurity threats.
Working together to keep the opensource ecosystem safe.
Entrar
