A complicated provide chain assault has compromised a number of widely-used npm packages, together with eslint-config-prettier and eslint-plugin-prettier, after menace actors efficiently stole maintainer authentication tokens by way of a focused phishing marketing campaign.
The assault leveraged a typosquatted area, npnjs.com, designed to imitate the professional npmjs.org website and harvest developer credentials by way of convincing phishing emails.
The malicious marketing campaign represents a multi-stage provide chain compromise that exploited the belief inherent within the npm ecosystem.
Attackers first harvested maintainer credentials by way of refined phishing emails, then used these stolen tokens to publish malicious bundle variations on to npm repositories with out making any corresponding adjustments to GitHub repositories, making the assault considerably tougher to detect by way of conventional monitoring strategies.
Lists of bundle maintainers (Supply – Socket.dev)
Socket.dev researchers recognized the compromise after suspicious exercise reviews revealed that a number of variations of standard packages had been printed with out corresponding commits or pull requests on GitHub.
The affected packages included eslint-config-prettier variations 8.10.1, 9.1.1, 10.1.6, and 10.1.7, together with eslint-plugin-prettier variations 4.2.2 and 4.2.3, synckit 0.11.9, @pkgr/core 0.2.8, and napi-postinstall 0.3.1.
The malicious code particularly focused Home windows methods with a harmful payload designed to execute distant instructions.
Evaluation revealed that the injected code tried to load and execute a DLL file named node-gyp.dll utilizing the Home windows rundll32 utility, probably offering attackers with full system entry and the flexibility to execute arbitrary code on compromised machines.
An infection Mechanism
The assault’s sophistication lies in its exploitation of npm’s metadata accessibility, the place registration emails and maintainer data are simply scraped by menace actors to construct complete goal lists.
The malicious payload employed Home windows-specific execution strategies, using the next code sample:-
// Simplified illustration of malicious code injection
course of.platform === ‘win32’ && require(‘child_process’).exec(‘rundll32 node-gyp.dll,entrypoint’);
This method enabled the malware to attain persistence and distant code execution capabilities whereas remaining dormant on non-Home windows methods, demonstrating the attackers’ understanding of cross-platform growth environments and their capacity to craft focused payloads that maximize affect whereas minimizing detection throughout numerous growth ecosystems.
Enhance detection, cut back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Attempt ANY.RUN Now
