Summary:
Researchers have been actively monitoring and reporting on various malware campaigns targeting open-source ecosystems. These campaigns involve deceptive tactics such as malicious updates to npm packages, malware posing as a GCC binary, and packages with complex command-and-control setups for data exfiltration.
One significant discovery is a campaign spanning Python (PyPI), JavaScript (npm), and Ruby (RubyGems) ecosystems. It began with a Python package called "kwxiaodian" that collects and exfiltrates data from macOS devices. Similar actions were found in malicious npm packages, and the RubyGems package followed suit, indicating an interconnected campaign targeting macOS users.
Researchers also uncovered a malicious campaign involving NPM packages disguised as GCC utility libraries, with the latest discovery being the "gcc-patch" package. Despite claiming to be a custom GCC compiler, it's a hidden cryptocurrency miner. This deceptive package activates the miner when developers believe they are using a legitimate compiler, raising concerns due to its lack of compiler functionalities, an anonymous author, and suspicious behavior. A technical investigation revealed that "index.js" exports the build function, running the fake GCC compiler in the background when invoked. The binary includes cryptographic functions related to cryptocurrency mining and indicators of communication with a mining server. This evidence strongly suggests that the binary is not a genuine GCC compiler.
In another discovery, Researchers identified NPM packages masquerading as email validation tools, highlighting the importance of supply chain security. These packages, like "email-validator-ext," secretly attempt to collect data from developers' environments, potentially leading to data breaches and exploitation.
Researchers emphasizes the need for cautious evaluation when integrating third-party packages, especially from uncertain sources. Vigilance, thorough scrutiny, and verifying author credibility are crucial to maintaining the security and integrity of software development processes in the face of persistent supply chain threats.
Threat Profile:
References:
The following reports contain further technical details:
https://blog.phylum.io/malware-campaign-targets-npm-pypi-and-rubygems-developers/
https://blog.phylum.io/cryptocurrency-miner-masquerading-as-gcc-compiler-found-in-npm-package/
https://blog.phylum.io/npm-emails-validator-package-malware/