As attackers continue to deploy these combined social engineering and supply chain attacks, developers should know how to identify npm package exploits.
What Do NPM Attacks Look Like?
When you aggregate the various announcements, the attacks all follow a similar pattern.
- Attackers create fake or takeover real repository or social media accounts, impersonating a developer or recruiter.
- Using the account, they contact the target and ask to collaborate on public or private GitHub repository.
- Target clones the compromised repository and executes contents.
- The malicious malware npm packages download and execute the second-stage malware on the victim’s machine.
Also, you should consider the following:
- Attackers may hide malicious npms in various software, including media players or cryptocurrency tools
- Sometimes attackers bypass the repository/cloning step by delivering malicious software through a messaging or file-sharing platform.
In this case, the attack focuses on inability to identify discrete components within the npm. When victims download the software to their machines, they often lack visibility into the packages. For example, more recent attacks appear to monitor machine GUIDS to determine whether the attackers want to issue additional payloads.
List of Malicious NPM Packages
Between the original GitHub list and the additional packages from Hacker News, developers should be wary of the following 39 malicious npm packages:
What to Do If You Are a Victim of a Malicious NPM Supply Chain Attack
Although the North Korean atacks appear to target accounts connected to blockchain, cryptocurrency, online gambling, and cybersecurity sectors, all developers should be aware of these supply chain attacks and know how to mitigate risks.
Just Say “No”
If anyone you don’t already know reaches out to collaborate with you, engage in thorough due diligence. Additionally, GitHub has identified, at minimum, the following malicious GitHub accounts:
Further, it has identified the following malicious npm accounts:
Review Security Logs
If you’re not sure whether you accepted a repository invite from one of these accounts, you can search your GitHub security log.
Modern applications often incorporate various open-source libraries and frameworks, making it difficult to identify functional elements and data flow paths. By scanning your open source libraries, you can identify malicious packages. For example, your Software Bill of Materials (SBOM) should provide an in-depth explanation of security issues associated with packages so that you can identify and remediate threats.
Further, if recently published, net-new packages, scripts, or dependencies make network connections during installation, you should engage in further review.
Recover Affected Machines
If you identify any malicious npm packages, you can take some of the following steps to recover from the attack:
- Reset or wipe potentially impacted devices
- Change passwords
- Rotate sensitive credentials/tokens
Qwiet AI: AI For Software Supply Chain Attack Mitigation
With Qwiet AI’s Intelligent Software Composition Analysis (SCA) platform, you can quickly scan your source code, detecting all dependencies, to build security into your CI/CD processes. Our Intelligent SBOMs provide visibility into the components that make up your apps, enabling you to proactively and reactively secure your software. You can integrate our preZero platform directly into your existing pipelines, ticketing systems, and development tools, enabling you to find and fix high-priority vulnerabilities while still meeting your software delivery timelines.