New Malicious NPM Packages Attack Amazon & Slack

Recently, the cybersecurity researchers at Sonatype have detected a very new type of “dependency confusion” packages that have been assigned to the NPM ecosystem that are malicious in nature.

npm is a open source package manager for the JavaScript programming language and is the largest software registry in the world.

The threat actors are continuously targeting LYFT, Amazon, Slack NodeJS apps, and Zillow by using this new dependency confusion vulnerability.

Here, the primary reason for using this flaw is to steal the Linux/Unix password files and unrestrict the reverse shells back to the threat actors.

Inside /etc/shadow

All the packages that the security experts have detected are exploited the dependency confusion. First of all, with the help of this security flaw, a DNS request from the compromised system to their own server; But why? Simply to gather all the information like IP address and hostname. 

Dependency confusion used by threat actors

Since Sonatype has found all the malicious packages that are targeting the apps linked with Amazon, Zillow, Lyft, and Slack to steal essential data like open remote shells and passwords; the researchers wondering that when they were going to spot a malicious threat actor take advantage of this prevailing situation; after few minutes, they have spotted one.

Apart from this, the security researchers have asserted that all the vulnerable packages are named as ‘amzn’, ‘zg-rentals’, ‘lyft-dataset-sdk’, ‘serverless-slack-app’. And they have also claimed that the threat actors usually apply these types of similar names on GitHub and other projects.

Moreover, the threat actors use Birsan’s original PoCs as a template and add their own custom malicious code as well, once they did finishing up their own malicious NPMs.

Malicious packages 

The malicious packages that are involved in this vulnerability are mentioned below:-

  • amzn
  • zg-rentals
  • lyft-dataset-sdk
  • serverless-slack-app

Sneak peek at your .bash_history

Researchers detected another set of the package, that is user’s .bash_history file, simultaneously with the fingerprinting data like IP address, hostname, and current directory. 

Moreover, the list of commands that the .bash_history file includes is controlled by a Unix-based OS user earlier at the terminal.

If .bash_history file will not get cleared frequently then the threat actors will be able to retrieve data like usernames, passwords, and other sensitive data that only users should have access to.

More dependency hijacking packages

In total there are 35 tech firms were infiltrated, and this list includes big names like Microsoft, Netflix, and Apple. they have detected a huge hike in the dependency confusion copycats that are issued to NPM.

But, if you are a customer of Sonatype then you will get the top-notch protection offered by the automated malware detection systems and world-class security research data.

The security experts at Sonatype have claimed that the next-gen upstream software supply chain attacks are more deadly, as nowadays the threat actors don’t wait for the public flaw revelation.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.