- A popular npm maintainer fell prey to a phishing attack, sharing login credentials with cybercriminals
- The attackers accessed their npm account and pushed malware through a popular package
- They were removed six hours later, but users should still take caution
Experts have warned that ‘is’, an npm package with more than 2.8 million weekly downloads, was also compromised in the same manner, and served malware for roughly six hours.
This comes shortly after Eslint-config-prettier, another popular npm package, was recently compromised in a supply chain attack which made it serve malware, after its maintainer, JounQin, received an email that spoofed the support@npmjs.com account, asking them to “verify” their account which, when they did, gave the attackers their login credentials.
The access was used to push install versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7 of the eslint-config-prettier package, which carried malware. Other compromised packages belonging to the same developer include eslint-plugin-prettier, synckit, @pkgr/core, and napi-postinstall.
Backdoors and infostealers
Now, new reports claim that John Harband, the maintainer of the ‘is’ was also compromised the same way. The attackers maintained access for roughly six hours, during which they pushed versions 3.3.1 through 5.0.0, which contained malicious code.
‘Is’ is a lightweight JavaScript utility library that basically helps check what kind of value something is.
For example, it can tell you if something is a number, a list, or a word. It can also check if something is empty or if two things are the same.
It is simple, but rather popular, being widely used as a low-level utility dependency in development tools, testing libraries, build systems, and backend and CLI projects.
The malware deployed through these packages was a WebSocket-based backdoor that granted the attackers remote code execution capabilities on compromised endpoints. The Eslint one was also dropping Scavanger, an infostealer grabbing data stored in the web browser.
Via BleepingComputer
You might also like
Discover more from cplexmath tech stop
Subscribe to get the latest posts sent to your email.
Add Comment