#npm

Usar el método adecuado, hace que los datos trabajen de forma óptima ! 🧭ES

TeamPCP has initiated another campaign similar to the Mini Shai-Hulud attack, targeted at supply chain development in npm and PyPI environments, including TanStack, uipath and mistralai (although these two were ultimately rendered non-functional due to a pre-exisitng bug in the packages). Using the same command-and-control infrastructure as previous campaigns, this latest attack affects several layers of development ecosystems, with persistence and propagation being key facets of the attack, as well as credential stealing and data wiping.

One of the stages of this malware is installation of a persistent gh-token-monitor daemon. But what is that exactly? In computing, a daemon is a background process, running without the need for user interaction or permission. It’s used mostly for Unix based systems, which are often the backbone of package development. Because it requires no oversight, poisoning its architecture can go unnoticed until persistence is established and/or the poisoned dataset is integrated into the main registry. In this case, the token monitor is looking for a set of criteria that, if met, determines whether or not a wiper is applied. The malware identifies any GitHub Personal Access Tokens or Oauth Tokens, then runs them through a series of checks looking for validity that contains a login field, a repo or public_repo in its scope, public profile, ability to write a repository, and whether the tokens belong to a member of an org.

A Python variant is also being distributed, malicious versions of guardrails-ai[@]0.10.1 and mistralai[@]2.4.6. These are trojanized and operate differently than the JavaScript version of the malware. They are not obfuscated and contain a modular credential stealer that executes on Linux machines that are not in Russian (which the JavaScript version does as well). The data this variant exfiltrates includes password vaults like Bitwarden. This version also contains a command to execute a full volume mp3 file while running file deletion if the location settings – timezone and language – are Israeli or Iranian.

This campaign has another notable upgrade from previous attacks besides the wiper daemon, namely redundancies in terms of C2 architecture. Instead of funneling the data to just one place, it is now being sent to three. A typosquatted domain, a session messenger network and GitHub API dead drop repositories with a Dune theme.

The team at nmp is removing the malicious packages from the registry as soon as they find them, but Wiz has other recommendations for avoiding infection. Aside from the common sense tactic of rotating credentials, which should be happening frequently in the first place as the first step to prevention of credential stealing, they encourage developers to keep an eye on exposure, searching lockfiles and CI logs for affected package versions. Watch out for persistence. Search for the gh-token-monitor daemon on developer machines and remove it. Do this before revoking GitHub tokens, to avoid the wiper. Audit IDE directories, since router_runtime.js and setup.mjs persist after npm uninstall. And finally, block the C2 infrastructure at the DNS/proxy level, as the domains are known (git-tanstack[.]com and *.getsession[.]org). Wiz’s article also contains further links to postmortems of each of the affected packages for more information.

26 malicious npm packages used Pastebin steganography to hide command-and-control infrastructure, deploying a remote access trojan and a nine-module infostealer toolkit.

Source: Socket

The queen of Slaughter, Stephanie Lauter

It’s time! With our first goal met (🎉 thank you!), let’s talk about stretch goals. We have quite a few planned, so we're going to go through them one by one and explain what they are and why we chose them!

Before we go down the list, here's something fun:

Sticker Unlock: At 45 backers, we also unlocked one more sticker!

The goal of our campaign is to cover business expenses most of all. The unlocked content is an extra token of gratitude for your support that also helps us meet our own targets! 

With that said, let's get to our stretch goals...