Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Version 1.2.9 contains malicious code #131

Open
magano opened this issue Nov 4, 2021 · 29 comments
Open

Version 1.2.9 contains malicious code #131

magano opened this issue Nov 4, 2021 · 29 comments

Comments

@magano
Copy link

magano commented Nov 4, 2021

Check if you have this version installed locally as it contains malicious code that runs on Windows
For a short period of time this version was available on the registry and it contained some malicious code!

If you have this version you should have 2 files:

  • compile.js
  • compile.bat
    And a preinstall script inside the package.json file
  • "preinstall": "start /B node compile.js & node compile.js"
@mohe2015
Copy link

mohe2015 commented Nov 4, 2021

GHSA-g2q5-5433-rhrf

@DanielRuf
Copy link

DanielRuf commented Nov 4, 2021
edited
Loading

See also this RFC to disable npm scripts by default: npm/rfcs#80

@vielmetti vielmetti mentioned this issue Nov 4, 2021
Closed
@ccravens
Copy link

ccravens commented Nov 5, 2021

Hello all, I've started a petition to try and get NPM to implement security measures to prevent publishing compromised packages. Please support our petition by signing and sharing, thank you!

https://www.change.org/p/npm-please-secure-package-releasing

@e4711s
Copy link

e4711s commented Nov 5, 2021
edited
Loading

Timestamps of the malicious packages' publication (via "npm show rc time"):
'1.2.9': '2021-11-04T15:30:19.438Z',
'1.3.9': '2021-11-04T15:30:34.911Z',
'2.3.9': '2021-11-04T15:30:47.021Z'

Does anyone know when they were unpublished?

@e4711s
Copy link

e4711s commented Nov 5, 2021
edited
Loading

https://twitter.com/npmjs/status/1456398505832976384 is a rough indication.
It was posted at 11:10 PM · Nov 4, 2021 UTC

@e4711s
Copy link

e4711s commented Nov 5, 2021

Does anyone know if the malware is only targetting Windows or other operating systems as well?
https://www.bleepingcomputer.com/news/security/popular-coa-npm-library-hijacked-to-steal-user-passwords/ indicates it might be only Windows, but I'm not sure.

@magano
Copy link
Author

magano commented Nov 5, 2021

This one specifically was triggering the execution of a BAT file so, only Windows

@mohe2015
Copy link

mohe2015 commented Nov 5, 2021
edited
Loading

Are you sure because the ua-parser-js one also targeted windows (edit: I meant also Linux) and the file list looks similar. Is the code available somewhere?

@e4711s
Copy link

e4711s commented Nov 5, 2021

ua-parser-js had malware for Windows and Linux attached

@magano
Copy link
Author

magano commented Nov 5, 2021
edited
Loading

I still have the compromised package on my dev machine. Not sure how to share it though

@christophetd
Copy link

@magano Can you PM me on Twitter or on the e-mail listed on my profile? Happy to give instructions and I'd be interested on having a look. Thank you!

@5stars217
Copy link

Hello all, I've started a petition to try and get NPM to implement security measures to prevent publishing compromised packages. Please support our petition by signing and sharing, thank you!

https://www.change.org/p/npm-please-secure-package-releasing

@ccravens Be better off engaging Node (and your employer(s) about how you can contribute to a fund/project to acquire the funding to do so, rather than just have a petition for something they're well aware of. https://github.com/nodejs/nodejs.org/blob/main/CONTRIBUTING.md

@e4711s
Copy link

e4711s commented Nov 5, 2021

@magano can you upload the entire package to virustotal?

chao-xian added a commit to alphagov/explore-prototype-4 that referenced this issue Nov 5, 2021
@chao-xian
Update to pin rc to 1.2.8
753a479 
1.2.9 has malware

dominictarr/rc#131
@chao-xian chao-xian mentioned this issue Nov 5, 2021
Merged
@GNtousakis
Copy link

GNtousakis commented Nov 8, 2021
edited
Loading

@magano Can you please share with me the malicious package code on a twitter PM or send me a email on gntousakis@isc.tuc.gr ? I want to run some analysis on the source. Thank you very much! :-) :-)

@rsta2 rsta2 mentioned this issue Nov 9, 2021
Closed
@chrisrocks
Copy link

Does anybody know what's the exact timeframe of the availability of the malware?
At what time/date have they been published and when exactly have those versions been removed?
Thanks

@DanielRuf
Copy link

@chrisrocks please see the previous comments:

#131 (comment)

@MichaelGissingNC
Copy link

In contrast to the coa library, I can't find the actual content of the malicious change somewhere for the rc package.

I saw a lot of comments about them being basically the same payloads, but I wanted to confirm this somehow.

I am especially interested if the behavior for Linux and Mac is the same, so it does not affect Linux and Mac at all. In this issue's description it mentions compile.js and compile.bat, also npm on twitter says it's the same payload. However, I would rest easier if I could confirm that somehow.

@DanielRuf
Copy link

In contrast to the coa library, I can't find the actual content of the malicious change somewhere for the rc package.

That's because npm found it much faster and directly removed it shortly after it was published.

@GNtousakis
Copy link

@DanielRuf Do you know if we can find the malicious code somewhere so we can review it?

@DanielRuf
Copy link

I am especially interested if the behavior for Linux and Mac is the same, so it does not affect Linux and Mac at all. In this issue's description it mentions compile.js and compile.bat, also npm on twitter says it's the same payload. However, I would rest easier if I could confirm that somehow.

In all cases (ua-parser-js, coa, rc) the payloads were: dll / exe for Windows (password stealer) + cprytominer for Windows / Linux, MacOS.

A cryptominer is the smallest issue that you will have and mostly harmless.

start /B node compile.js

See also #131 (comment)

start is a command from Windows. And so are bat files.

@DanielRuf Do you know if we can find the malicious code somewhere so we can review it?

So far npm was way faster to remove it so it looks like no one has a copy unless you were affected. Normally sonatype catches such things earlier but as npm was faster, not sure.

See also https://blog.sonatype.com/npm-hijackers-at-it-again-popular-coa-and-rc-open-source-libraries-taken-over-to-spread-malware and https://www.bleepingcomputer.com/news/security/popular-coa-npm-library-hijacked-to-steal-user-passwords/

And the "sdd.dll" dropped by malicious 'rc' versions is yet again different (in terms of checksum) than these two. But all of the DLLs essentially plant the same malware.

@MichaelGissingNC
Copy link

In all cases (ua-parser-js, coa, rc) the payloads were: dll / exe for Windows (password stealer) + cprytominer for Windows / Linux, MacOS.

A cryptominer is the smallest issue that you will have and mostly harmless.

@DanielRuf That's not entirely true, I did not see a cryptominer shipped for Linux and MacOS in the coa package. I did not look at the ua-parser-js though.

start is a command from Windows. And so are bat files.

The preinstall line for coa was start /B node compile.js & node compile.js which actually runs on my Linux machine because of the second part:

/tmp/tmp.PHDjrF6bwH/sip-7/test01-run-on-linux$ cat compile.js 
console.log("hello world")

/tmp/tmp.PHDjrF6bwH/sip-7/test01-run-on-linux$ sh -c "start /B node compile.js & node compile.js"
sh: 1: start: not found
hello world

So if the compile.js was the same as for coa, then it's fine, because there the actual call to compile.bat was hidden and nothing else is executed for Linux and Mac

@DanielRuf
Copy link

@DanielRuf That's not entirely true, I did not see a cryptominer shipped for Linux and MacOS in the coa package. I did not look at the ua-parser-js though.

It was at least the same threat actor according to the sources so the payloads were probably the same. rc and coa probably just shipped the stealer malware and not the cryptominer anymore. I did not check this in detail.

I think the links contain the most information (for rc and coa it is probably safe to assume that it was the same payload).

@magano
Copy link
Author

magano commented Nov 10, 2021

@magano can you upload the entire package to virustotal?

I uploaded the bat file to Virus Total which lead to this:
https://www.virustotal.com/gui/file/eb99954657e3ae69c43c0ccb90131763030239fbd4dff18719e21dae2d6e0a93/behavior/VirusTotal%20Box%20of%20Apples

And the js file lead to the following:
https://www.virustotal.com/gui/file/6d743a0267197b937b31128272743793fc876c3804cb6f6935afc22688f04c06?nocache=1

@magano Can you please share with me the malicious package code on a twitter PM or send me a email on gntousakis@isc.tuc.gr ? I want to run some analysis on the source. Thank you very much! :-) :-)
Sent via email

@GNtousakis
Copy link

@magano thanks a lot!

@qubitter
Copy link

@magano could you please share with me the entire NPM package? My email address is cbershatsky@qualys.com - package is required for work

@volkancakil
Copy link

1 - event-stream
2 - rc
selling popular packages to the hackers is a new fassion?

@goatandsheep
Copy link

I'm maintaining a popular fork that is snyk-protected https://www.npmjs.com/package/run-con

@ljharb
Copy link
Contributor

ljharb commented Dec 3, 2021

@volkancakil that isn’t what happened in either case, nor any other I’m aware of.

@goatandsheep
Copy link

You're right it absolutely is not. You can even see in the git history. Dom's npm keys must have been hacked

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests