#Cybersecurity#vulnerability#malware#security#software
  • Home
  • North Korean Hackers Suspected in New Wave of Malicious npm Packages

North Korean Hackers Suspected in New Wave of Malicious npm Packages

Author : ArmCoding
16-08-2023
Share
North Korean Hackers Suspected in New Wave of Malicious npm Packages

The npm package registry has emerged as the target of yet another highly targeted attack campaign that aims to entice developers into downloading malevolent modules.

Software supply chain security firm Phylum told The Hacker News the activity exhibits similar behaviors to that of a previous attack wave uncovered in June, which has since been linked to North Korean threat actors.

The attack chain commences with the package.json file with a postinstall hook that executes an index.js file upon package installation. The latter uses the legitimate pm2 module as a dependency to launch a daemon process that, in turn, executes another JavaScript file named app.js.

The JavaScript code is designed to initiate encrypted two-way communication with a remote server – “ql.rustdesk[.]net,” a spoofed domain masquerading as the legitimate RustDesk remote desktop software – 45 seconds after the package is installed and transmit basic information about the compromised host.

The development follows the discovery of a typosquat version of a popular Ethereum package on npm that’s engineered to make an HTTP request to a Chinese server (“wallet.cba123[.]cn” containing the user’s cryptographic key.

What’s more, the highly popular NuGet package, Moq, has drawn criticism after new versions 4.20.0 and 4.20.1 of the package released last week came with a new dependency referred to as SponsorLink that extracts SHA-256 hashes of developer email addresses from local Git configs and sends it to a cloud service without their knowledge or consent.

The findings also come as organizations have been found increasingly vulnerable to dependency confusion attacks, potentially leading developers to unwittingly introduce vulnerable or malicious code into their projects, effectively resulting in large-scale supply chain attacks.

As mitigations against dependency confusion attacks, it’s recommended to publish internal packages under organization scopes and reserve internal package names in the public registry as placeholders to prevent misuse.

 

Source: https://thehackernews.com/

#Cybersecurity#Hacker#HTTP#malware#Network#security#software#vulnerability
CISA Alerts Federal Agencies to Patch Actively Exploited Linux Kernel Flaw
CISA Alerts Federal Agencies to Patch Actively Exploited Linux Kernel Flaw
  • 31-05-2024
Researchers Uncover Active Exploitation of WordPress Plugin Vulnerabilities
Researchers Uncover Active Exploitation of WordPress Plugin Vulnerabilities
  • 31-05-2024
BreachForums Returns Just Weeks After FBI Seizure – Honeypot or Blunder?
BreachForums Returns Just Weeks After FBI Seizure – Honeypot or Blunder?
  • 30-05-2024
Okta Warns of Credential Stuffing Attacks Targeting Customer Identity Cloud
Okta Warns of Credential Stuffing Attacks Targeting Customer Identity Cloud
  • 30-05-2024
WordPress Plugin Exploited to Steal Credit Card Data from E-commerce Sites
WordPress Plugin Exploited to Steal Credit Card Data from E-commerce Sites
  • 29-05-2024
TP-Link Gaming Router Vulnerability Exposes Users to Remote Code Attacks
TP-Link Gaming Router Vulnerability Exposes Users to Remote Code Attacks
  • 29-05-2024
4th Zero-Day Exploit Discovered in May 2024
4th Zero-Day Exploit Discovered in May 2024
  • 27-05-2024
Beware: These Fake Antivirus Sites Spreading Android and Windows Malware
Beware: These Fake Antivirus Sites Spreading Android and Windows Malware
  • 27-05-2024
CISA Warns of Actively Exploited Apache Flink Security Vulnerability
CISA Warns of Actively Exploited Apache Flink Security Vulnerability
  • 24-05-2024