Introducing Qwiet AI AutoFix! Reduce the time to secure code by 95% Read More

Node Package Manager (NPM) is the default package manager for JavaScript that makes it easier for developers to install, update, and manage web project dependencies. In July 2023, GitHub released a security alert about a social engineering campaign targeting personal accounts. On August 15, 2023, The Hacker News reported that North Korean threat actors appeared to be engaging in a sophisticated, targeted attack. 

As attackers continue to deploy these combined social engineering and supply chain attacks, developers should know how to identify npm package exploits. 

What Do NPM Attacks Look Like?

When you aggregate the various announcements, the attacks all follow a similar pattern. 

  • Attackers create fake or takeover real repository or social media accounts, impersonating a developer or recruiter.
  • Using the account, they contact the target and ask to collaborate on public or private GitHub repository. 
  • Target clones the compromised repository and executes contents. 
  • The malicious malware npm packages download and execute the second-stage malware on the victim’s machine. 

Also, you should consider the following:

  • Attackers may hide malicious npms in various software, including media players or cryptocurrency tools
  • Sometimes attackers bypass the repository/cloning step by delivering malicious software through a messaging or file-sharing platform.

In this case, the attack focuses on inability to identify discrete components within the npm. When victims download the software to their machines, they often lack visibility into the packages. For example, more recent attacks appear to monitor machine GUIDS to determine whether the attackers want to issue additional payloads. 

List of Malicious NPM Packages 

Between the original GitHub list and the additional packages from Hacker News, developers should be wary of the following 39 malicious npm packages:

  • assets-graph
  • assets-table
  • audit-ejs
  • audit-vue
  • binance-price
  • binance-prices
  • coingecko-prices
  • btc-web3
  • cache-react
  • cache-vue
  • chart-tablejs
  • chart-vxe
  • cloud-room-video
  • couchcache-audit
  • ejs-audit
  • elliptic-helper
  • elliptic-parser
  • eth-api-node
  • jpeg-metadata
  • other-web3
  • pingan-vue-floating
  • price-fetch
  • price-record
  • progress-player
  • srm-front-util
  • snykaudit-helper
  • sync-http-api
  • sync-https-api
  • tslib-react
  • tslib-util
  • ttf-metadata
  • vue-audit
  • vue-gws
  • vuewjs
  • ws-paso-jssdk
  • ynf-core-loader
  • ynf-core-renderer 
  • ynf-dx-scripts
  • ynf-dx-webpack-plugins

 

What to Do If You Are a Victim of a Malicious NPM Supply Chain Attack

Although the North Korean atacks appear to target accounts connected to blockchain, cryptocurrency, online gambling, and cybersecurity sectors, all developers should be aware of these supply chain attacks and know how to mitigate risks. 

Just Say “No”

If anyone you don’t already know reaches out to collaborate with you, engage in thorough due diligence. Additionally, GitHub has identified, at minimum, the following malicious GitHub accounts:

  • GalaxyStarTeam
  • Cryptowares
  • Cryptoinnowise
  • netgolden

Further, it has identified the following malicious npm accounts:

  • charlestom2023
  • eflodzumibreathbn
  • galaxystardev
  • garik.khasmatulin.76
  • hydsapprokoennl
  • leimudkegoraie3
  • leshakov-mikhail
  • linglidekili9g
  • mashulya.bakhromkina
  • mayvilkushiot
  • outmentsurehauw3
  • paupadanberk
  • pormokaiprevdz
  • podomarev.goga
  • teticseidiff51
  • toimanswotsuphous
  • ufbejishisol

Review Security Logs

If you’re not sure whether you accepted a repository invite from one of these accounts, you can search your GitHub security log.

Identify Dependencies

Modern applications often incorporate various open-source libraries and frameworks, making it difficult to identify functional elements and data flow paths. By scanning your open source libraries, you can identify malicious packages. For example, your Software Bill of Materials (SBOM) should provide an in-depth explanation of security issues associated with packages so that you can identify and remediate threats. 

Further, if recently published, net-new packages, scripts, or dependencies make network connections during installation, you should engage in further review. 

Recover Affected Machines 

If you identify any malicious npm packages, you can take some of the following steps to recover from the attack:

  • Reset or wipe potentially impacted devices
  • Change passwords
  • Rotate sensitive credentials/tokens

Qwiet AI: AI For Software Supply Chain Attack Mitigation

With Qwiet AI’s Intelligent Software Composition Analysis (SCA) platform, you can quickly scan your source code, detecting all dependencies, to build security into your CI/CD processes. Our Intelligent SBOMs provide visibility into the components that make up your apps, enabling you to proactively and reactively secure your software. You can integrate our preZero platform directly into your existing pipelines, ticketing systems, and development tools, enabling you to find and fix high-priority vulnerabilities while still meeting your software delivery timelines. 

Take our preZero platform for a free spin or contact us today to see how Qwiet AI can help you secure your applications against threats. 

 

About ShiftLeft

ShiftLeft empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, ShiftLeft CORE scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, ShiftLeft then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use ShiftLeft ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, ShiftLeft is based in Santa Clara, California. For information, visit: www.shiftleft.io.

Share

Read Next

AppSec DevOps
January 30, 2024 4 min to read

Handling Session Management in Web Applications

Back in 1893, the Lizzie Borden murders, where the Massachusetts woman was accused of killing both her parents with an ax, captivated the public and news media. Eventually found not guilty, one fundamental question perplexed police officers and the jury. Every door inside the Borden house had its own lock and corresponding key, an attempt […]

READ MORE
AppSec Cybersecurity Cybersecurity for Developers
January 16, 2024 4 min to read

Paying Off Your Loans: Technical Debt and Security Debt i...

Whether it’s school or car loans, you know that paying off your debt makes your life easier. It can improve your credit score, giving you more financial security. As a developer, you may also suffer from technical debt that impacts your application’s security. In a world where time to delivery is critical, you may make […]

READ MORE
AppSec Cybersecurity Cybersecurity for Developers DevOps Engineering
January 11, 2024 4 min to read

Understanding and Implementing HTTPS Strict Transport Sec...

Introduction Within the cascading bytes and bits of digital communications, developers forge pathways of data, threading information through the vast expanse of the internet. However, threats lurking within these pathways seek to intercept, manipulate, and exploit this data. This article ventures into HTTPS and Strict Transport Security (HSTS), offering developers a guide to comprehend, implement, […]

READ MORE

Read Next

Cybersecurity
March 17, 2022 7 min to read

Secure Software Summit: Importance of Securing Software w...

  With the increase of supply chain attacks on everything from logging software like Log4J to takeovers of important JavaScript packages to compromises of network utility tools like SolarWinds, more and more organizations are recognizing the need to adopt a Zero Trust mindset. Zero Trust can improve security, reduce risks, and give organizations greater confidence […]

READ MORE
Cybersecurity
July 25, 2023 4 min to read

What is OWASP and Why is it Important to Developers?

by Team Qwiet

Shipping your software – and doing it on time – may be your first priority as a developer. However, as your company shifts security left, you need to build it into your processes while still meeting estimated timelines. Now you need to manage cross-functional communications and respond to seemingly competing priorities. You’re trying to debug […]

READ MORE
AppSec Cybersecurity DevOps Engineering
September 19, 2023 5 min to read

Jenkins Plug-In Vulnerabilities: September 2023

by Bruce Snell

At the end of August 2023, Jenkins announced it experienced 79% growth between June 2021 and June 2023. With an estimated 44% market share, Jenkins is a critical technology automating CI/CD pipelines.  As a technology pervasive across the developer community, the Jenkins vulnerabilities announced on August 6, 2023, will likely attract attackers seeking to infiltrate […]

READ MORE
Subscribe to newsletter
Privacy Policy Terms of Service © 2024 Qwiet. All rights reserved
Services
Company
Platform
Resources
Log In