Malicious NPM package racks up 50,000 infections in days, developers fully compromised
Security researchers are warning developers about a malicious npm package that mimics the popular JavaScript framework, Ember.js. In a few days, it was downloaded nearly 50,000 times, leading to complete system compromise for affected developers.
GitHub released an advisory alerting developers that malware was detected in the “ambar-src” npm package. NPM (Node Package Manager) is a public registry for developers to publish reusable code packages.
“Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer,” GitHub warns.
The removal of the package doesn’t guarantee that all malicious software will be wiped from the computer – full control of the system has already been given to outside attackers.
Hackers likely imitated “ember-source,” a highly popular JavaScript framework that has over 11 million downloads. Security experts believe typosquatting and mimicking the popular npm package served as the initial attack vector.
Tenable researchers, who analyzed the fake package, warn that it deploys multiple powerful open-source malware variants and demonstrates various detection evasion techniques.
“A single malicious npm package reached 50,000 downloads in days, highlighting the speed at which supply chain risks propagate,” Tenable, a security firm, said in a report.
The “ambar-src” package was uploaded on February 13th and initially did not contain any malicious code. Three days later, once a significant number of users downloaded the package, the threat actor published a new version containing malicious code.
The attackers target all major operating systems. The package detects the operating system, fetches the relevant loader from the remote server, and executes it. The malware had “a large set of impressive capabilities,” including reconnaissance screenshot collection, web browser data exfiltration, or opening fake password prompts.
“Merely running ‘npm install ambar-src’ (or resolving it as a dependency) is sufficient to trigger the malicious payload, requiring no explicit import or invocation of the package’s code by the victim,” Tenable said.
The report details that the attackers used infrastructure in Russia, specifically the domain x-ya[.]ru to host the malicious payloads.
NPMJS removed the package from the public registry within less than 5 hours of the first version containing the malicious code being published.
The repository is battling the onslaught of attempts to compromise existing or publish new malicious packages.
JFrog Security Team identified a malicious npm package named “eslint-verify-plugin”, which masquerades as a legitimate ESLint utility and uses the same domain to deliver a sophisticated, multi-stage infection chain targeting macOS and Linux environments.
Last year, the platform suffered a massive self-propagating supply chain attack dubbed Shai-Hulud.
However, this challenge is not exclusive to npm. Threat actors consistently target all major package repositories, including GitHub and PyPI.
Socket, a security firm, reports about four malicious NuGet Packages targeting ASP.NET developers that use typosquatting patterns: NCryptYo, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_.
“The campaign’s objective is not to compromise the developer's machine directly, but to compromise the applications they build. By controlling the authorization layer during development, the threat actor gains access to deployed production applications,” the security firm warns.
Unlock more exclusive Cybernews content on YouTube.
