Malicious javascript compromise on npmjs.com
-
Malicious javascript compromise on npmjs.com
These packages, about a billion downloads prior
supports-hyperlinks
chalk-template
simple-swizzle
slice-ansi
error-ex
is-arrayish
wrap-ansi
backslash
color-string
color-convert
color
color-nameThread follows.
Example change and download stats on one of the 12 packages changed, incident started about 2 hours ago.
-
Example change and download stats on one of the 12 packages changed, incident started about 2 hours ago.
Example copy of one of the inserted JS: https://pastebin.com/bwLZrq02
-
Example copy of one of the inserted JS: https://pastebin.com/bwLZrq02
Just reported to NPM, they work on it.
-
Just reported to NPM, they work on it.
Derek's caught it too https://infosec.exchange/@derekheld/115169311485030806
-
Derek's caught it too https://infosec.exchange/@derekheld/115169311485030806
It's a cryptocurrency wallet drainer, RIP a load of devops dudes crypto.
-
Malicious javascript compromise on npmjs.com
These packages, about a billion downloads prior
supports-hyperlinks
chalk-template
simple-swizzle
slice-ansi
error-ex
is-arrayish
wrap-ansi
backslash
color-string
color-convert
color
color-nameThread follows.
@GossiTheDog is-arrayish, it has 9 lines of code
️ -
It's a cryptocurrency wallet drainer, RIP a load of devops dudes crypto.
NPM on it, some packages nuked, more being nuked
-
NPM on it, some packages nuked, more being nuked
If you want an idea of scale of trojan attempt - 'color' alone had 32m downloads in a week, the combined attempt was pushing a billion due to upstream dependencies.
Hunt tip: look for registry.npmjs.org in proxy logs, package names are in the URLs.
-
If you want an idea of scale of trojan attempt - 'color' alone had 32m downloads in a week, the combined attempt was pushing a billion due to upstream dependencies.
Hunt tip: look for registry.npmjs.org in proxy logs, package names are in the URLs.
additional backdoored packages
ansi-styles
debug
chalk
supports-color
strip-ansi
ansi-regex
has-ansi -
additional backdoored packages
ansi-styles
debug
chalk
supports-color
strip-ansi
ansi-regex
has-ansiWeekly download stats for impacted packages prior to incident
ansi-styles (371.41m)
debug (357.6m)
backslash (0.26m)
chalk-template (3.9m)
supports-hyperlinks (19.2m)
has-ansi (12.1m)
simple-swizzle (26.26m)
color-string (27.48m)
error-ex (47.17m)
color-name (191.71m)
is-arrayish (73.8m)
slice-ansi (59.8m)
color-convert (193.5m)
wrap-ansi (197.99m)
ansi-regex (243.64m)
supports-color (287.1m)
strip-ansi (261.17m)
chalk (299.99m)Total 2674m
-
Weekly download stats for impacted packages prior to incident
ansi-styles (371.41m)
debug (357.6m)
backslash (0.26m)
chalk-template (3.9m)
supports-hyperlinks (19.2m)
has-ansi (12.1m)
simple-swizzle (26.26m)
color-string (27.48m)
error-ex (47.17m)
color-name (191.71m)
is-arrayish (73.8m)
slice-ansi (59.8m)
color-convert (193.5m)
wrap-ansi (197.99m)
ansi-regex (243.64m)
supports-color (287.1m)
strip-ansi (261.17m)
chalk (299.99m)Total 2674m
Phishing email sent to maintainers, they basically targeted people with 2FA by getting them to.. reset their 2FA.
-
Phishing email sent to maintainers, they basically targeted people with 2FA by getting them to.. reset their 2FA.
Developer confirms they fell for phishing email
It looks like others have too, found one other compromised repo from a different user, will have a dig tomorrow as bored of cyber tonight.
https://bsky.app/profile/bad-at-computer.bsky.social/post/3lydioq5swk2y
-
@GossiTheDog is-arrayish, it has 9 lines of code
️@rabc @GossiTheDog Fuck micro-dependency shit.
-
Developer confirms they fell for phishing email
It looks like others have too, found one other compromised repo from a different user, will have a dig tomorrow as bored of cyber tonight.
https://bsky.app/profile/bad-at-computer.bsky.social/post/3lydioq5swk2y
For anybody confused about how this happens, basically:
- For about the past 15 years every business has been developing apps by pulling in 178 interconnected libraries written by 24 people in a shed in Skegness
- For about the past 2 years orgs have been buying AI vibe coding tools, where some exec screams "make online shop" into a computer and 389 libraries are added and an app is farted out
The output = if you want to own the world's companies, just phish one guy in Skegness
-
For anybody confused about how this happens, basically:
- For about the past 15 years every business has been developing apps by pulling in 178 interconnected libraries written by 24 people in a shed in Skegness
- For about the past 2 years orgs have been buying AI vibe coding tools, where some exec screams "make online shop" into a computer and 389 libraries are added and an app is farted out
The output = if you want to own the world's companies, just phish one guy in Skegness
@GossiTheDog the trend in npm to use trivial libraries, i.e.ones you can replace in one expression, really doesn't help.
When we do training on this I point the finger at is-even which is dependent on is-odd and is-number and can be replaced by (x % 2) == 0
-
undefined Stefano Marinelli ha condiviso questa discussione
-
Malicious javascript compromise on npmjs.com
These packages, about a billion downloads prior
supports-hyperlinks
chalk-template
simple-swizzle
slice-ansi
error-ex
is-arrayish
wrap-ansi
backslash
color-string
color-convert
color
color-nameThread follows.
@GossiTheDog Whoa!
-
undefined Oblomov ha condiviso questa discussione
undefined Jess Robinson ha condiviso questa discussione
