Aug 28, 2023THNSupply Chain / Software Security In yet another sign that developers continue to be targets of software supply chain attacks, a number of malicious packages have been discovered on the Rust programming language's crate registry. The libraries, uploaded between August 14 and 16, 2023, were published by a user named "amaperf," Phylum said in a report published last week. The names of the packages, now taken down, are as follows: postgress, if-cfg, xrvrv, serd, oncecell, lazystatic, and envlogger. It's not clear what the end goal of the campaign was, but the suspicious modules were found to harbor functionalities to capture the operating system information (i.e., Windows, Linux, macOS, or Unknown) and transmit the data to a hard-coded Telegram channel via the messaging platform's API. This suggests that the campaign may have been in its early stages and that the threat actor may have been casting a wide net to compromise as many developer machines as possible to deliver rogue updates with improved data exfiltration capabilities. "With access to SSH keys, production infrastructure, and company IP, developers are now an extremely valuable target," the company said. This is not the first time crates.io has emerged as a target of a supply chain attack. In May 2022, SentinelOne uncovered a campaign dubbed CrateDepression that leveraged typosquatting techniques to steal sensitive information and download arbitrary files. The disclosure comes as Phylum also revealed an npm package called emails-helper that, once installed, sets up a callback mechanism to exfiltrate machine information to a remote server and launches encrypted binaries that are shipped with it as part of a sophisticated attack. UPCOMING WEBINARWay Too Vulnerable: Uncovering the State of the Identity Attack SurfaceAchieved MFA? PAM? Service account protection? Find out how well-equipped your organization truly is against identity threatsSupercharge Your Skills The module, which was advertised as a "JavaScript library to validate email address against different formats," has been taken down by npm but not before it attracted 707 downloads since it was uploaded to the repository on August 24, 2023. "Data exfiltration is attempted via HTTP, and if this fails, the attacker reverts to exfiltrating data via DNS," the company said. "The binaries deploy penetration testing tools like dnscat2, mettle, and Cobalt Strike Beacon." "A simple action like running npm install can set off this elaborate attack chain, making it imperative for developers to exercise caution and due diligence as they carry out their software development activities." Malicious packages have been discovered on the Python Package Index (PyPI) as well, which attempt to steal sensitive information from infected systems as well as download an unknown second-stage payload from a remote server. Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Wir nutzen Cookies auf unserer Website. Einige von ihnen sind essenziell für den Betrieb der Seite, während andere uns helfen, diese Website und die Nutzererfahrung zu verbessern (Tracking Cookies). Sie können selbst entscheiden, ob Sie die Cookies zulassen möchten. Bitte beachten Sie, dass bei einer Ablehnung womöglich nicht mehr alle Funktionalitäten der Seite zur Verfügung stehen.
Aug 28, 2023THNSupply Chain / Software Security In yet another sign that developers continue to be targets of software supply chain attacks, a number of malicious packages have been discovered on the Rust programming language's crate registry. The libraries, uploaded between August 14 and 16, 2023, were published by a user named "amaperf," Phylum said in a report published last week. The names of the packages, now taken down, are as follows: postgress, if-cfg, xrvrv, serd, oncecell, lazystatic, and envlogger. It's not clear what the end goal of the campaign was, but the suspicious modules were found to harbor functionalities to capture the operating system information (i.e., Windows, Linux, macOS, or Unknown) and transmit the data to a hard-coded Telegram channel via the messaging platform's API. This suggests that the campaign may have been in its early stages and that the threat actor may have been casting a wide net to compromise as many developer machines as possible to deliver rogue updates with improved data exfiltration capabilities. "With access to SSH keys, production infrastructure, and company IP, developers are now an extremely valuable target," the company said. This is not the first time crates.io has emerged as a target of a supply chain attack. In May 2022, SentinelOne uncovered a campaign dubbed CrateDepression that leveraged typosquatting techniques to steal sensitive information and download arbitrary files. The disclosure comes as Phylum also revealed an npm package called emails-helper that, once installed, sets up a callback mechanism to exfiltrate machine information to a remote server and launches encrypted binaries that are shipped with it as part of a sophisticated attack. UPCOMING WEBINARWay Too Vulnerable: Uncovering the State of the Identity Attack SurfaceAchieved MFA? PAM? Service account protection? Find out how well-equipped your organization truly is against identity threatsSupercharge Your Skills The module, which was advertised as a "JavaScript library to validate email address against different formats," has been taken down by npm but not before it attracted 707 downloads since it was uploaded to the repository on August 24, 2023. "Data exfiltration is attempted via HTTP, and if this fails, the attacker reverts to exfiltrating data via DNS," the company said. "The binaries deploy penetration testing tools like dnscat2, mettle, and Cobalt Strike Beacon." "A simple action like running npm install can set off this elaborate attack chain, making it imperative for developers to exercise caution and due diligence as they carry out their software development activities." Malicious packages have been discovered on the Python Package Index (PyPI) as well, which attempt to steal sensitive information from infected systems as well as download an unknown second-stage payload from a remote server. Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.