November 28, 2024 at 06:08AM
Researchers found a year-long software supply chain attack on the npm package registry involving the malicious package @0xengine/xmlrpc, which harvested sensitive data and mined cryptocurrency. Discovered by Checkmarx, it exploited trust in dependencies. Additionally, ongoing malicious campaigns using counterfeit packages target multiple platforms, including Roblox developers.
### Meeting Takeaways – Software Security / Data Breach – Nov 28, 2024
1. **Supply Chain Attack Discovery**:
– Researchers found a software supply chain attack involving the npm package named **@0xengine/xmlrpc**.
– The malicious code was introduced in version **1.3.4** on **October 3, 2023**, after the initial release on **October 2, 2023**.
2. **Malicious Functionality**:
– The malware collects sensitive data (SSH keys, bash history, system metadata, environment variables) every **12 hours**.
– It exfiltrates this data via Dropbox and file.io.
3. **Distribution Methods**:
– The attack was distributed via direct npm installation and as a hidden dependency in legitimate-looking projects, such as a GitHub repository named **yawpp**.
4. **Potential Impact**:
– **68 compromised systems** have been identified as involved in mining cryptocurrency (Monero).
– The malware can monitor active processes and terminate mining operations if specific commands or user activity is detected.
5. **Advice and Warning**:
– Researchers emphasized that the longevity and consistent maintenance of a package do not guarantee its safety. Continuous vigilance is needed throughout a package’s lifecycle.
6. **Related Malicious Campaigns**:
– Datadog Security Labs uncovered a separate malicious campaign targeting Windows users with counterfeit packages on npm and PyPI, aiming to deploy open-source malware (Blank-Grabber and Skuld Stealer).
– There is evidence of ties to a campaign (MUT-8694) that targets developers, particularly those associated with Roblox, suggesting ongoing threats to the developer community.
### Action Items:
– Increase awareness and training on software supply chain security among developers.
– Review and vet dependencies for new projects regularly to mitigate risks.
– Stay updated on ongoing threats and maintain vigilance in package management practices.