- 17 NPM packages with more than a million weekly downloads were compromised to deliver a RAT
- The attack could turn into a major supply chain attack, experts warned
- The packages were since deprecated, but users should be on their guard
More than a dozen packages on NPM were poisoned with a Remote Access Trojan (RAT), possibly infecting millions of projects.
Cybersecurity researchers Aikido Security recently discovered malicious code buried very deep in 17 popular Gluestack packages.
The packages cumulatively have more than a million downloads weekly, meaning huge amounts of users could possibly be affected, the experts warned.
Revoking access tokens
Here is the full list of compromised packages:
- @react-native-aria/button
- @react-native-aria/checkbox
- @react-native-aria/combobox
- @react-native-aria/disclosure
- @react-native-aria/focus
- @react-native-aria/interactions
- @react-native-aria/listbox
- @react-native-aria/menu
- @react-native-aria/overlays
- @react-native-aria/radio
- @react-native-aria/switch
- @react-native-aria/toggle
- @react-native-aria/utils
- @gluestack-ui/utils
- @react-native-aria/separator
- @react-native-aria/slider
- @react-native-aria/tabs
The packages deployed malicious code that connected to the attackers’ command-and-control (C2) and received additional commands including, among other things, the ability to upload a single, or multiple files.
Furthermore, the trojan can execute Windows PATH hijacking and silently override legitimate python and pip commands.
In response, Gluestack revoked an access token used to publish the compromised packages. All of the poisoned tools are marked on NPM as deprecated.
“Unfortunately, unpublishing the compromised version wasn’t possible due to dependent packages,” a GlueStack developer said on GitHub. “As a mitigation, I have deprecated the affected versions and updated the latest tag to point to a safe, older version.”
The Node Package Manager (NPM) is the default package manager for the JavaScript runtime environment Node.js. It is used to install libraries, share packages with the community, manage dependencies, run scripts, and more.
As such, it is vastly popular, having millions of monthly visitors, and hundreds of thousands of registered accounts that frequently publish their packages.
Unfortunately, popular platforms attract threat actors in droves, and situations such as this one are not uncommon on NPM, or similar platforms such as GitHub or PyPi.
Via BleepingComputer
Leave a comment