Cybersecurity researchers have recently identified a new software supply chain attack targeting the npm registry, impacting over 40 packages maintained by various developers. The compromised versions of these packages include a function named NpmModule.updatePackage. This function downloads a package tarball, alters package.json, injects a malicious script named bundle.js, repacks the archive, and republished it—allowing for the automatic trojanization of downstream packages.
The primary objective of this attack is to search developer machines for sensitive information using TruffleHog’s credential scanner, ultimately sending this data to a server controlled by the attackers. This malicious attack is versatile, affecting both Windows and Linux systems.
The list of affected packages is extensive and includes:
- angulartics2@14.1.2
- @ctrl/deluge@7.2.2
- @ctrl/golang-template@1.4.3
- @ctrl/magnet-link@4.0.4
- @ctrl/ngx-csv@6.0.2
- @nativescript-community/ui-drawer@0.1.30
- And many others
The injected JavaScript, bundle.js, is designed to download and execute TruffleHog to scan for tokens and cloud credentials such as GITHUB_TOKEN, and AWS_ACCESS_KEY_ID. It checks npm tokens using the whoami endpoint and interacts with GitHub APIs when valid tokens are present. The script is also capable of discovering cloud metadata that could reveal short-lived credentials within cloud build agents.
Additionally, the script uses developer credentials, including GitHub personal access tokens, to create workflows in .github/workflows, exfiltrating the gathered data to a specified endpoint. Developers are urged to audit their environments and rotate npm tokens and any exposed secrets if they are using the compromised packages.
This incident coincides with warnings from the Rust Security Response Working Group about phishing emails targeting users of the crates.io registry. These phishing attempts originate from a typosquatted domain pretending to belong to the Rust Foundation, misleading recipients into clicking links to rotate login credentials.
The Rust team has emphasized that these emails are malicious, originating from an unauthorized domain, and are designed to capture GitHub credentials. They are actively monitoring any suspicious activity and taking measures to address this phishing threat.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.