threatpost.com
Open in
urlscan Pro
35.173.160.135
Public Scan
URL:
https://threatpost.com/malicious-npm-packages-web-apps/178137/
Submission: On February 03 via api from US — Scanned from DE
Submission: On February 03 via api from US — Scanned from DE
Form analysis 4 forms found in the DOM
POST /malicious-npm-packages-web-apps/178137/#gf_5
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5" action="/malicious-npm-packages-web-apps/178137/#gf_5">
<div class="gform_body">
<ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_8"></label>
<div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"></div>
</li>
<li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_1"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_5_9" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden"><input name="input_9" id="input_5_9" type="hidden" class="gform_hidden"
aria-invalid="false" value=""></li>
<li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_2">
<li class="gchoice_5_2_1">
<input name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
<label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
</li>
</ul>
</div>
</li>
<li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_5">
<li class="gchoice_5_5_1">
<input name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
<label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
</li>
</ul>
</div>
</li>
<li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Phone</label>
<div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
<div class="gfield_description" id="gfield_description__10">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button" value="Subscribe" onclick="if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; jQuery("#gform_5").trigger("submit",[true]); }" style="display: none;"> <input
type="hidden" name="gform_ajax" value="form_id=5&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="5">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js" name="ak_js" value="1643896891227">
<script>
document.getElementById("ak_js").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>POST https://threatpost.com/wp-comments-post.php
<form action="https://threatpost.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div class="o-row">
<div class="o-col-12@md">
<div class="c-form-element"><textarea id="comment" name="comment" cols="45" rows="8" aria-required="true" placeholder="Write a reply..."></textarea></div>
</div>
</div>
<div class="o-row">
<div class="o-col-6@md">
<div class="c-form-element"><input id="author" name="author" placeholder="Your name" type="text" value="" size="30"></div>
</div>
<div class="o-col-6@md">
<div class="c-form-element"><input id="email" name="email" placeholder="Your email" type="text" value="" size="30"></div>
</div>
</div>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="c-button c-button--primary" value="Send Comment"> <input type="hidden" name="comment_post_ID" value="178137" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="d9d7328497"></p><!-- the following input field has been added by the Honeypot Comments plugin to thwart spambots -->
<input type="hidden" id="VAXt8mn9BrJISq3nNXbn5fPPB" name="zJXb4vBUJT7lZyLj6tIpkgvPI">
<script type="text/javascript">
document.addEventListener("input", function(event) {
if (!event.target.closest("#comment")) return;
var captchaContainer = null;
captchaContainer = grecaptcha.render("recaptcha-submit-btn-area", {
"sitekey": "6LfsdrAaAAAAAMVKgei6k0EaDBTgmKv6ZQrG7aEs",
"theme": "standard"
});
});
</script>
<script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async="" defer=""></script>
<div id="recaptcha-submit-btn-area"> </div>
<noscript>
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js" name="ak_js" value="166">
<script>
document.getElementById("ak_js").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>Text Content
Newsletter
SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER
Join thousands of people who receive the latest breaking cybersecurity news
every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
*
* *
*
* *
* I agree to my personal data being stored and used to receive the
newsletter
* *
* I agree to accept information and occasional commercial offers from
Threatpost partners
* Phone
This field is for validation purposes and should be left unchanged.
Δ
This iframe contains the logic required to handle Ajax powered Gravity Forms.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
Threatpost
* Podcasts
* Malware
* Vulnerabilities
* InfoSec Insiders
* Webinars
*
*
*
*
*
*
*
Search
* Charming Kitten Sharpens Its Claws with PowerShell BackdoorPrevious article
* Supply-Chain Security Is Not a Problem…It’s a PredicamentNext article
THOUSANDS OF MALICIOUS NPM PACKAGES THREATEN WEB APPS
Author: Elizabeth Montalbano
February 2, 2022 9:00 am
4 minute read
Write a comment
Share this article:
*
*
Attackers increasingly are using malicious JavaScript packages to steal data,
engage in cryptojacking and unleash botnets, offering a wide supply-chain attack
surface for threat actors.
More than 1,300 malicious packages have been identified in the most
oft-downloaded JavaScript package repository used by developers, npm, in the
last six months — a rapid increase that showcases how npm has become a launchpad
for a range of nefarious activities.
New research from open-source security and management firm WhiteSource has
discovered the disturbing increase in the delivery of malicious npm packages,
which are used as building blocks for web applications. Any app using a
malicious code block could be serving up data theft, cryptojacking, botnet
delivery and more to its users.
Out of the malicious packages found, 14 percent were designed to steal sensitive
information like credentials, while nearly 82 percent of those packages were
performing “reconnaissance,” which involved adversaries actively or passively
gathering information that can be used to support targeting, the firm said.
Because npm packages in general are being downloaded upwards of 20 billion times
a week—and thus installed across countless web-facing components of software and
applications across the world–exploiting them means a sizeable playing field for
attackers, researchers said in their Wednesday report. An average of 32,000 new
npm package versions are published every month (17,000 daily), and a full 68
percent of developers depend upon it to create rich online functionality,
according to WhiteSource.
That level of activity enables threat actors to launch a number of software
supply-chain attacks, researchers said. Accordingly, WhiteSource investigated
malicious activity in npm, identifying more than 1,300 malicious packages in
2021 — which were subsequently removed, but may have been brought into any
number of applications before they were taken down.
“Attackers are focusing more efforts on using npm for their own nefarious
purposes and targeting the software supply chain using npm,” they wrote in the
report. “In these supply-chain attacks, adversaries are shifting their attacks
upstream by infecting existing components that are distributed downstream and
installed potentially millions of times.”
To boot, with so many npm packages being released monthly, it’s also easy for
some vulnerabilities to slip through the cracks, researchers noted.
WHY ATTACK NPM?
JavaScript is the most commonly used programming language, and there are about
16.4 million JavaScript developers globally, according to WhiteSource.
Its widespread use and deployment across applications and systems that use the
internet also makes the JavaScript ecosystem a major target for attackers,
researchers said. Npm itself is one of the most popular package managers and
registries, containing more than 1.8 million active packages, each of which has
an average of 12.3 versions, researchers said.
Package registries like npm also store packages, the metadata associated with
them and the configurations that are needed to install them — all of which
represent attack vectors, making it challenging for IT to keep up, especially
when the need to track versions of packages is factored in.
Source: WhiteSource
Further, though npm and other registries play an integral role in the JavaScript
development process, “there is a minimum standard of security associated with
them” because most of them are maintained and verified by open-source
communities or consortiums, researchers said. This makes them ripe for
exploitation by attackers, according to WhiteSource.
Indeed, attackers are certainly onto the malicious opportunity npm represents
and have already targeted its popular registries in several high-profile attacks
last year.
In January, attackers used npm to spread the CursedGrabber malware that could
steal Discord tokens and thus enable attacks on users’ accounts and servers.
Then in July, researchers found a malicious npm package that was stealing
passwords via Chrome’s account-recovery tool.
In December, attackers used npm to target Discord again, hiding malicious code
within the package manager to harvest Discord tokens that can be used to take
over unsuspecting users’ accounts and servers.
COMMON MALWARE, TARGETS AND IMPACT
WhiteSource researchers identified some of the most common malware hidden in
malicious npm packages that they observed in the report, with payloads that can
steal credentials or crypto and run botnets among the top offenders.
Some of the malicious packages and their functionality that WhiteSource
identified in its investigation include the following:
* mos-sass-loader and css-resources-loader, which engage in brandjacking for
remote code execution (RCE);
* circle-admin-web-app and browser-warning-ui, which select external packages
including malware for download;
* @grubhubprod_cookbook, which engages in dependency confusion aimed at
entering Grubhub company data
* H98dx,a remote shell executable that runs upon install to infect machine; and
* Azure-web-pubsub-express, which enables data aggregation that collects host
information.
Researchers also described a supply-chain attack that they observed in October
using a popular npm library, ua-parser-js, which is used to parse user agent
strings to identify a user’s browser, OS, device and other attributes. The
library has more than 7 million weekly downloads, they said.
Threat actors used ua-parser-js to leverage the software supply chain and gain
access to sensitive data, as well as vulnerable enterprise resources in the
cloud, researchers explained.
“Attackers inserted malicious code into three versions of ua-parser-js after
seemingly taking over the developer’s npm account,” researchers wrote. “Three
new versions of this package were released in an attempt to get users to
download them.”
While the previously clean version of the package was 0.7.28, the attacker
published identical 0.7.29, 0.8.0 and 1.0.0 packages, “each containing malicious
code that was activated upon installation,” they explained.
The author of the package responded quickly to mitigate attacks and attempt to
minimize the number of people who were inadvertently installing a malicious
package by publishing 0.7.30, 0.8.1 and 1.0.1, researchers added.
Developers should be especially vigilant when downloading npm packages on
weekends, as they are the most time of the week for attackers to release
malicious packages, researchers found. This is likely because less people are
working and thus online, making it easier for their activity to go unnoticed,
they said.
Check out our free upcoming live and on-demand online town halls – unique,
dynamic discussions with cybersecurity experts and the Threatpost community.
Write a comment
Share this article:
* Cloud Security
* Malware
* Vulnerabilities
* Web Security
SUGGESTED ARTICLES
KP SNACKS LEFT WITH CRUMBS AFTER RANSOMWARE ATTACK
The Conti gang strikes again, disrupting the nom-merchant’s supply chain and
threatening empty supermarket shelves lasting for weeks.
February 2, 2022
SUPPLY-CHAIN SECURITY IS NOT A PROBLEM…IT’S A PREDICAMENT
Despite what security vendors might say, there is no way to comprehensively
solve our supply-chain security challenges, posits JupiterOne CISO Sounil Yu. We
can only manage them.
February 2, 2022
CHARMING KITTEN SHARPENS ITS CLAWS WITH POWERSHELL BACKDOOR
The notorious Iranian APT is fortifying its arsenal with new malicious tools and
evasion tactics and may even be behind the Memento ransomware.
February 2, 2022
DISCUSSION
* rick on February 2, 2022
log4j isn't javascript
Reply
LEAVE A COMMENT CANCEL REPLY
Δ
This site uses Akismet to reduce spam. Learn how your comment data is processed.
INFOSEC INSIDER
* SUPPLY-CHAIN SECURITY IS NOT A PROBLEM…IT’S A PREDICAMENT
February 2, 2022
* THE ACCOUNT TAKEOVER CAT-AND-MOUSE GAME
February 1, 2022
* NEW YEAR, NEW THREATS: 4 TIPS TO ACTIVATE YOUR BEST CYBER-DEFENSE
January 26, 2022
* CYBERCRIMINALS LOVE SUPPLY-CHAIN CHAOS: HERE’S HOW TO PROTECT YOUR INBOX
January 26, 2022
* THE INTERNET’S MOST TEMPTING TARGETS
January 21, 2022
Newsletter
SUBSCRIBE TO THREATPOST TODAY
Join thousands of people who receive the latest breaking cybersecurity news
every day.
Subscribe now
Twitter
Quick Q because we're not doing the Jif/Gif thing again over here: NFT Or "neft"
??? https://t.co/cmPypJotMJ
1 hour ago
Follow @threatpost
NEXT 00:02 01:29 360p 720p HD 1080p HD Auto (360p) About Connatix V148743 Closed
Captions About Connatix V148743 1/1 SkipAd Continue watching after the ad Visit
Advertiser websiteGO TO PAGE
SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY!
Get the latest breaking news delivered daily to your inbox.
Subscribe now
Threatpost
The First Stop For Security News
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
* Copyright © 2022 Threatpost
* Privacy Policy
* Terms and Conditions
* Advertise
*
*
*
*
*
*
*
TOPICS
* Black Hat
* Breaking News
* Cloud Security
* Critical Infrastructure
* Cryptography
* Facebook
* Government
* Hacks
* IoT
* Malware
* Mobile Security
* Podcasts
* Privacy
* RSAC
* Security Analyst Summit
* Videos
* Vulnerabilities
* Web Security
Threatpost
*
*
*
*
*
*
*
TOPICS
* Cloud Security
* Malware
* Vulnerabilities
* Privacy
Show all
* Black Hat
* Critical Infrastructure
* Cryptography
* Facebook
* Featured
* Government
* Hacks
* IoT
* Mobile Security
* Podcasts
* RSAC
* Security Analyst Summit
* Slideshow
* Videos
* Web Security
AUTHORS
* Tara Seals
* Tom Spring
* Lisa Vaas
THREATPOST
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
Search
*
*
*
*
*
*
*
InfoSec Insider
INFOSEC INSIDER POST
Infosec Insider content is written by a trusted community of Threatpost
cybersecurity subject matter experts. Each contribution has a goal of bringing a
unique voice to important cybersecurity topics. Content strives to be of the
highest quality, objective and non-commercial.
Sponsored
SPONSORED CONTENT
Sponsored Content is paid for by an advertiser. Sponsored content is written and
edited by members of our sponsor community. This content creates an opportunity
for a sponsor to provide insight and commentary from their point-of-view
directly to the Threatpost audience. The Threatpost editorial team does not
participate in the writing or editing of Sponsored Content.
We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.
ACCEPT AND CLOSE