Researchers report that the attackers have used malicious packages targeting internal applications inside the npm public code repository, all of which exfiltrate sensitive information.
The attackers weaponized a proof-of-concept (PoC) code dependency-confusion exploit that was recently published by security researcher Alex Birsan and used it to attack companies such as Amazon, Lyft, Zillow, and Slack
Birsan’s PoC, which we reported earlier, demonstrated how open-source tools can be used to break into organizations’ internal apps. The researcher has discovered such code dependencies were discovered in PayPal, Apple, Microsoft, Shopify, Netflix, Tesla, Uber, and others.
While Birsan has warned the affected parties and subsequently collected more than $130,000 in bug bounties, attackers were fast enough to leverage the situation.
Copycats and Malicious Actors Spring Into Action
According to cyber intelligence company Sonatype, within 48 hours of Birsan’s research, copycat bounty hunters uploaded more than 275 packages to the npm repository. Since then, the number of packages has jumped to 700, with malicious ones blending among them.
“Some of the dependency-confusion copycat packages take what may be deemed ‘ethical research’ a step further, by engaging in outright malicious activities,” Ax Sharma, a researcher at Sonatype, explained.
Sonatype reports that several copycat packages exfiltrate the user’s.bash_history files, which contains a list of commands previously executed by a Unix-based OS user at the terminal. If this file is not cleaned periodically, it could contain usernames, passwords, and other sensitive data.
/etc/shadow files were also often exfiltrated by malicious packages. These files maintain hashed password data of user accounts on a system. Researchers explain that these files are not that easy to exfiltrate because they are usually reserved for “superuser” accounts. However, an attacker could obtain the files if the infected machine runs the npm with elevated privileges.
These types of attacks could be especially dangerous as they leverage automatic code importation. When a new version becomes available, a developer project will automatically fetch it from a repository.
Furthermore, as copycat packages are uploaded to public repositories, the barrier for entry is very little allowing malicious attackers to blend in with the ethical hackers.
“Anybody — whether ethical researchers or malicious actors — can exploit the dependency confusion issue,” said Sharma. “What constitutes ‘ethical’ or not is largely determined by the actor’s intent.”
Recent Malicious Activity
Researchers uncovered malicious packages targeted at a variety of companies, including Amazon, Lyft, Slack, and Zillow.
The npm webpage for “amzn” offers two identical versions of a malicious package, each containing two files – a manifest file named package.json, and the functional run.js file. Research shows that in the run.js file, there are contents of the /etc/shadow file, which can be exfiltrated to the attacker’s domain.
Zillow’s package, “zg-rentals,” was posted to npm by the same author and has an identical structure to the “amzn” package.
While Slack’s package, “serverless-slack-app,” cannot be linked to ethical analysis, researchers point out that it is named after a legitimate package made by an Atlassian developer. It has preinstall and post-install scripts, both launched by the manifest file. According to Sonatype, the preinstall stage is an identical replica of that in Birsan’s PoC research packages.
Researchers found a fourth package by the same author targeted at Lyft. Called “lyft-dataset-sdk,” this package shared the same name as a Python-based package used by Lyft.