- 17 NPM packages with more than a million weekly downloads have been compromised to deliver a rat
- The attack could be transformed into a major supply of supply chain, experts warned of experts
- The packages have since been depreciated, but users should be on their care
More than a dozen packages on NPM were poisoned with a remote Trojan horse (rat), perhaps infecting millions of projects.
Aikido Security cybersecurity researchers recently discovered a malicious code buried very deep in 17 popular gluestack packages.
The packages have cumulatively more than a million downloads each week, which means that huge amounts of users could be affected, experts warned.
Revoke the access token
Here is the full list of compromise packages:
- @ react-native-aa / button
- @ React-Native-Aria / Checkbox
- @ React-Native-Aria / Combox
- @ react-native-aa / disclosure
- @ react-native-aa / focus
- @ React-Native-Aria / Interactions
- @ React-Native-Aria / Listbox
- @ react-native-arria / menu
- @ React-Native-Aria / Supercesses
- @ react-native-aa / radio
- @ React-Native-Aria / switch
- @ react-native-aa / Toggle
- @ react-native-arria / util
- @ gluestack-ii / util
- @ React-native-arria / separator
- @ react-native-aa / cursor
- @ React-Native-Aria / Tabs
The packages have deployed a malicious code connected to the controls and controls of the attackers (C2) and received additional commands, in particular, among other things, the possibility of downloading a single or more files.
In addition, the Troy can perform the diversion of the Windows path and silently replace the legitimate Python and Pip commands.
In response, Gluestack revoked an access token used to publish compromise packages. All poisoned tools are marked on the NPM as depreciated.
“Unfortunately, the disintegration of the compromised version was not possible due to dependent packages,” said a gluestack developer on Github. “As an attenuation, I obsolete the affected versions and updated the last tag to point out a safe and old version.”
The Node Package Manager (NPM) is the default package manager of the JavaScript Node.js. It is used to install libraries, share packages with the community, manage dependencies, run scripts, etc.
As such, it is largely popular, with millions of monthly visitors and hundreds of thousands of recorded accounts that frequently publish their packages.
Unfortunately, popular platforms attract mass threat actors, and situations such as it are not uncommon on NPC, or similar platforms such as GitHub or Pypi.
Via Bleeping Compompute
