Tenable warns of supply chain attack on npm Registry

Tenable Research has uncovered a supply chain attack on the npm Registry which the company said demonstrates the speed at which modern supply chain risks can propagate.

The npm Registry is a public collection of packages of open-source code for Node.js, including front-end web apps, mobile apps, robots, routers and other tools used by JavaScript developers.

The attack uncovered by Tenable researchers involved uploading a malicious package to the registry that was designed to mimic a popular existing package to infect developers’ systems across Windows, macOS and Linux. In the mere five hours before it was removed, the malicious package was downloaded around 50,000 times, Tenable Research said. The threat is unique in that it did not require a developer to run any code to fall victim to the attack.

The moment a command to install the package is typed, a hidden preinstall script automatically runs in the background and is used to identify the victim’s system and install the malware.

Unlike legitimate software that has been compromised, the spoofed program’s only purpose is to deliver the malware, according to Tenable Director for Research Ari Eitan. The malware also uses multiple techniques to evade detection, and the installed malware is capable of exfiltrating sensitive data including screenshots and passwords.

“Developers often assume that if a package is available on a public registry it is safe to download,” he said. “By hiding the attack inside the installation process, hackers ensure they are inside your system before you’ve even had a chance to verify the code,” he said.

More information about amber-src can be found here.

Image credit: iStock.com/ATHVisions