Malicious packages in the NPM Registry that security researchers for weeks believed were being used to stage supply-chain attacks against prominent in

Mystery of industry-targeting backdoored NPM JavaScript packages solved

submited by
Style Pass
2022-05-12 05:00:02

Malicious packages in the NPM Registry that security researchers for weeks believed were being used to stage supply-chain attacks against prominent industrial companies in Germany turned out to be part of a penetration test run by a cybersecurity company.

Researchers at Snyk in late April published a blog post about a JavaScript package that stood out among others they had found because it contained both encrypted and obfuscated files.

More recently, software maker JFrog and cybersecurity firm ReversingLabs this week released their own findings about the multiple malicious libraries in the NPM Registry that all used the same payload and belonged to the same malware family as the one analyzed by Snyk. The goal appeared to be to launch dependency-confusion attacks in which applications within German companies end up using, through a misconfiguration or something like that, malicious npm modules rather than legitimate packages with similar or plausible names. If successful, developers within specific corporations would be fooled into introducing backdoors into their code bases.

JFrog researchers in their blog post wrote that "compared with most malware found in the npm repository, this payload seems particularly dangerous: a highly-sophisticated, obfuscated piece of malware that acts as a backdoor and allows the attacker to take total control over the infected machine. Furthermore, this malware seems to be an in-house development and not based on publicly-available tools."

Leave a Comment