Malicious Rust Libraries Caught Transmitting OS Info to Telegram Channel

29-08-2023
Share
Malicious Rust Libraries Caught Transmitting OS Info to Telegram Channel

In yet another sign that developers continue to be targets of software supply chain attacks, a number of malicious packages have been discovered on the Rust programming language’s crate registry.

The libraries, uploaded between August 14 and 16, 2023, were published by a user named “amaperf,” Phylum said in a report published last week. The names of the packages, now taken down, are as follows: postgress, if-cfg, xrvrv, serd, oncecell, lazystatic, and envlogger.

This suggests that the campaign may have been in its early stages and that the threat actor may have been casting a wide net to compromise as many developer machines as possible to deliver rogue updates with improved data exfiltration capabilities.

The disclosure comes as Phylum also revealed an npm package called emails-helper that, once installed, sets up a callback mechanism to exfiltrate machine information to a remote server and launches encrypted binaries that are shipped with it as part of a sophisticated attack.

“Data exfiltration is attempted via HTTP, and if this fails, the attacker reverts to exfiltrating data via DNS,” the company said. “The binaries deploy penetration testing tools like dnscat2mettle, and Cobalt Strike Beacon.”

“A simple action like running npm install can set off this elaborate attack chain, making it imperative for developers to exercise caution and due diligence as they carry out their software development activities.”

 

Source:  https://thehackernews.com/