SBN

This Week in Malware—npm malware exfiltrates Windows SAM, Amazon EC2 credentials

This Week in Malware, we continue to see an uptick in outright malicious and dependency confusion packages employing novel tactics. A list of some of the packages caught by Sonatype’s automated malware detection systems is given below and more analysis is expected to follow in subsequent blog posts next week.

npm package steals Amazon EC2, Windows SAM credentials

This week’s highlights include npm packages ‘@core-pas/cyb-core’ and ‘notreallyapackagetrustme’ analyzed by Sonatype security researchers Carlos Fernandez and Ali ElShakankiry.

CyberARK Core PAS (Privileged Access Security) is a prominent access management solution and ‘@core-pas/cyb-core’ in particular appears to target CyberARK developers, as the name suggests. 

Except, these dependency confusion packages, assigned sonatype-2022-3360, attempt to exfiltrate sensitive files such as:

A snippet of code contained within ‘@core-pas/cyb-core’ shown below demonstrates how the package goes well beyond the basic proof-of-concept stage when it peeks into these sensitive files.

The data collected is then uploaded to the domain shown below via a POST request:

https://cafl3i5hg02qsce2cbtgyzqfxnsjax361.oast[.]site

The list of some more npm dependency confusion packages caught this week is shown below, but this is by no means exhaustive, and dozens of packages are still awaiting analysis by our research team:


@centrifuge-cli/core
@centrifuge-cli/plugin-chain
@core-pas/cyb-core
@dpopp/database-client
@dpopp/identity
@dpopp/types
@manomano-toolbox/api-gateway
@manomano-toolbox/async-exports
@manomano-toolbox/catalog
@manomano-toolbox/commercial-operations
@manomano-toolbox/components
@manomano-toolbox/hub
@manomano-toolbox/pim-management
@manomano-toolbox/toolkit
@sky-mavis/cccc
@spinak/iac
@spinak/iac-lib
@storebrand-digital/fms-translations-react
@sudosnail42/vuln-app
@syno-vue-components/vue-tippy
@tamagoshi/core
@tamagoshi/icons
@tide-web-apps/bert2
@tide-web-apps/global-environments
@trp-iid-iid-digital/gdx-wc-branding
@trp-iid-iid-product/gdx-product-rest-client
@trp-iid-iid-svc/scheduler-schedule-rest-client
@trp-innersource-ui-kit/angular-communication
@trp-innersource-ui-kit/angular-navigation
@za-cli/components-react
app-with-frontegg
bebekair
caspr-front
cp2-shared-app
ferris-design-tokens
flame-vali
graphql-persisted
joax
kaluza-tech
mano-toolkit
mimic-server
mmolecule
nab-packages-react-utils-nab
newtestforme1007
newtestforme1008
nstmrt
nstmrt
ololo123
perf-benchmarks
react-effect-apollo
react-shopify-app-route-propagator
react-table-types
react-table-v7
slate-rc
slate-tag-webpack-plugin
solar-stellarorg-pages
ss-ui-micro-common
test-test-dc
test-test-dc-maintainer
vipps-stitches
vipps-stitches
vpc-stack-with-issues
vso-ts-agent
vso-ts-agent
vulny-appy
wxy-tools
xo-guest-components
zjusecdc-demo
zzzhelloeveryone

These packages were reported to npm by us prior to publishing.

Malicious Python package with encrypted payload

Malicious Python (PyPI) packages caught by us this week include:

 (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ax Sharma. Read the original post at: https://blog.sonatype.com/this-week-in-malware-npm-malware-exfiltrates-windows-sam-amazon-ec2-credentials