Sonatype Unveils Full-Spectrum Software Supply Chain Management | Press Release

Open Source Components Analyzed by Nexus Intelligence:

70
111800560

A History of Software Supply Chain Attacks

July 2017–November 2021

https://www.sonatype.com/hubfs/SSC_Attacks_Illos/icon_trojan_horse@2x-1.png

November 2021

Popular Library "coa" Gets Hijacked in an Identical Style as "ua-parser-js"

Malicious versions of "coa" broke React pipelines around the world until they were removed. These versions contained similar credential-stealing trojan as the one seen in hacked "ua-parser-js" versions.

Hours After "coa" Hijack Is Discovered, "rc" Is Hijacked, Too

Yet another popular npm package, "rc" with 14 million weekly downloads is hijacked to spread malware, merely hours after "coa" hack is spotted. The malware and attack style is identical, drawing a link between the threat actor behind both incidents. NPM pins the cause of both attacks to project maintainer's account compromise.

https://www.sonatype.com/hubfs/SSC_Attacks_Illos/icon_crypto_mining%20copy%202@2x.png

October 2021

Newly Found npm Malware Mines Cryptocurrency on Multiple Devices

Between October 12–15, new npm cryptomining malware was found targeting Linux, macOS, Windows devices, and imitating the legitimate "ua-parser-js" package.

Popular "ua-parser-js" Library Attacked

On October 22, a popular "ua-parser-js" library with over 7 million weekly downloads was itself hijacked. The same cryptominers were found.

Fake npm Roblox API Package Installs Ransomware and has a Spooky Surprise

Between October 20 and 26, Sonatype discovered typosquatting packages that mimic noblox.js, a popular Roblox game API wrapper. The Obfuscated malware found in npm includes extra unwanted functionalities including trojans, ransomware, and even a spooky surprise.

 

Cryptomining
https://www.sonatype.com/hubfs/SSC_Attacks_Illos/icon_skimming@2x.png

September 2021

Cryptocurrency Heist Stemmed from a Malicious GitHub Commit

SushiSwap's MISO cryptocurrency platform suffered a $3 million theft resulting from a software supply-chain attack. Just one malicious code commit made to Sushi’s private GitHub repository was enough to alter the company’s auction portal, and replace the authentic wallet address with the attacker's.

https://www.sonatype.com/hubfs/SSC_Attacks_Illos/icon_broken_shield@2x.png

July 2021

Kaseya

A ransomware group discovered and exploited a zero-day vulnerability in a remote monitoring and management software platform used by dozens of managed security providers (MSP). Because these MSPs service thousands of downstream customers, the hackers were able to conduct a ransomware attack against 1,500 victims.

https://www.sonatype.com/hubfs/SSC_Attacks_Illos/icon_code_bomb@2x.png

May 2021

Microsoft’s WinGet Flooded With Duplicate, Malformed Apps

The weekend after launching, Winget's software registry was flooded with pull requests for apps that were either duplicates or malformed. Some newly added duplicate packages were corrupted and ended up overwriting the existing packages, raising serious concerns about the integrity of the Winget ecosystem.

https://www.sonatype.com/hubfs/SSC_Attacks_Illos/icon_hacker%20copy@2x.png

April 2021

Codecov

An attacker was able to gain access to a credential via a mistake in how Codecov were building Docker images. This credential then let them modify Codecov’s bash uploader script which was either used directly by customers or via Codecov’s other uploaders like their Github Action. The attacker used this modified script to steal credentials from the CI environments of customers using it.

Code_Thief-1
https://www.sonatype.com/hubfs/SSC_Attacks_Illos/icon_keyboard%20copy@2x.png

February 2021

Namespace Confusion

Three days after news broke of an ethical researcher hacking over 35 big tech firms in a novel supply-chain attack, more than 300 malicious copycat attacks were recorded. Within one month, more than 10,000 dependency confusion copycats had infiltrated npm and other ecosystems.

https://www.sonatype.com/hubfs/SSC_Attacks_Illos/icon_trojan_horse@2x-1.png

December 2020

SolarWinds

Threat actors gained access to SolarWinds dev infrastructure, and injected malicious code into Orion update binaries. 18,000 customers automatically pulled trojanized updates, planting backdoors into their systems and allowing bad actors to exploit private networks at will.

November 2020

Counterfeit Components Discovered in the npm Ecosystem

The series of components were identified as a successor to “fallguys” malware: discord.dll, discord.app, wsbd.js, and ac-addon. These components exfiltrate Discord and web browser’s “leveldb” files, as well as collect data such as IP address, “PC username,” “discordcanary” files, etc.

“CursedGrabber” Malware Discovered

Discovery of the malware, called xpc.js in the npm registry confirmed to be a part of the newly identified family of Discord malware named CursedGrabber. This malware targets Window hosts and steals Discord information, sending user information via webhook to the attacker.

New npm Malware With Bladabindi Trojan Spotted

The malicious typosquatted packages jdb.js and db-json.js are found laced with a popular Remote Access Trojan (RAT), njRAT aka Bladabindi. Upon install, the malicious script engaged in data gathering and reconnaissance, ultimately launching patch.exe which is an njRAT written in .NET. This allows a remote attacker to log keystrokes, modify registry values, initiate system shutdown or restart at will, among other nefarious activities.

Hacker_Concept-2
https://www.sonatype.com/hubfs/SSC_Attacks_Illos/icon_code_bomb@2x.png

October 2020

Brandjacking Malware Found in npm

The counterfeit package twilio-npm opens a backdoor on a user’s device, giving attackers control of the compromised machine and Remote Code Execution (RCE) capabilities.

https://www.sonatype.com/hubfs/SSC_Attacks_Illos/icon_keyboard@2x.png

August 2020

Multiple npm Packages Vulnerable to Typosquatting Attacks

The electorn, loadyaml, lodashs, and loadyml packages have all been identified as vulnerable. Once installed, the packages collect and expose sensitive information, including IP address, geolocation, and device fingerprint, publishing this data to a public GitHub page.

https://www.sonatype.com/hubfs/SSC_Attacks_Illos/icon_code_bomb%20copy@2x.png

May 2020

Octopus Scanner

26 open source packages were found to be compromised through malicious code injection. The malware was designed to enumerate and backdoor NetBeans projects through the NetBeans IDE.

Octopus_Scanner-3
https://www.sonatype.com/hubfs/SSC_Attacks_Illos/icon_broken_gem@2x-2.png

April 2020

Hundreds of Malware Gems found on RubyGems

400 gems were removed from the public repository for typosquatting and crypto mining malware. They include atlas-client (downloaded 2,100 times by developers).

https://www.sonatype.com/hubfs/SSC_Attacks_Illos/icon_code_bomb@2x.png

January 2020

Microsoft Spots Malicious JavaScript Package

The malicious npm package — 1337qq-js — exfiltrates sensitive information such as hard-coded passwords or API access tokens through install scripts and targets UNIX systems only.

https://www.sonatype.com/hubfs/SSC_Attacks_Illos/icon_trojan_horse@2x-1.png

December 2019

Trojanized Python Libraries Removed

Two Python libraries, python3-dateutil and jeIlyfish, were caught stealing SSH and GPG keys from the projects or infected developers.

November 2019

Computers Running Malicious npm Package Considered “Fully Compromised”

All versions of sj-tw-test-security are found to contain malicious code. The package downloads and runs a script that opens a reverse shell in the system, allowing a remote attacker to compromise the affected system.

Prototype Pollution Vulnerability Continues to Cause Problems

Taking advantage of a typosquatting exploit for lodash npm packages, all versions of the lodahs package contain malware designed to find and exfiltrate cryptocurrency wallets. Packages web3b and web3-eht were removed for the same exploit pattern.

dominoes
https://www.sonatype.com/hubfs/SSC_Attacks_Illos/icon_broken_gem@2x-2.png

October 2019

Gem Packages Pulled From Repo

Three versions of the Gems package basic_authable, released in 2017, were yanked from the Gems repository due to their malicious nature.

https://www.sonatype.com/hubfs/SSC_Attacks_Illos/icon_crypto_mining%20copy%202@2x.png

August 2019

Compromised Version of rest-client Maintainer Stole credentials, Installed Crypto Miners

A compromised version of rest-client, a popular HTTP and REST client for Ruby, was uploaded to RubyGems. Affected versions (1.6.10 to 1.6.13) were downloaded about 1,000 times. Similar vulnerabilities were found in Gem packages coming-soon and cron_parser.

Malicious Package Removed From npm Repository

The component bb-builder stole login information from the computers it was installed on, sending it to a remote server.

https://www.sonatype.com/hubfs/SSC_Attacks_Illos/icon_code_bomb@2x.png

July 2019

Malicious Python Libraries Removed From PyPI

A security firm found three malicious Python libraries — libpeshnx, libpesh, and libari — uploaded on the official Python Package Index (PyPI) that contained a hidden backdoor which would activate when the libraries were installed on Linux systems.

RubyGems Component Found to Contain Malicious Code

This attack involves remote code execution in applications using or bundling the strong_password component. The hacker in this attack compromised the component and its dependencies — and locked out the gem maintainer

skull-chip-1
https://www.sonatype.com/hubfs/SSC_Attacks_Illos/icon_hacker@2x-1.png

June 2019

Cryptocurrency Attack on npm via Malicious Code Injection

An npm package contained code designed to steal cryptocurrency wallet seeds and other login instruction details specific to cryptocurrency apps. Tipped off by npm researchers, makers of the Agama cryptocurrency wallets shifted $13 million worth of currency before adversaries could steal it.

23 Malicious RubyGems Packages Discovered

Packages were pulled from the public repository because they contained code for cryptomining or cookie/password stealing.

crypto_coins_bugs
https://www.sonatype.com/hubfs/SSC_Attacks_Illos/icon_broken_gem@2x-2.png

March 2019

Backdoored RubyGems Package Allows Remote Code Execution

A malicious version of the popular bootstrap-sass package, downloaded a total of 28 million times to date, and with 1.6K dependencies, is published to the RubyGems repository. 

https://www.sonatype.com/hubfs/SSC_Attacks_Illos/icon_injection@2x.png

November 2018

Malicious Package Injected Into Popular npm Package

The injected code in the event-stream package targets the Copay application and was designed to harvest account details and private keys from accounts having a balance of more than 100 Bitcoin or 1,000 Bitcoin Cash.

July 2018

Compromised JavaScript Package Caught Stealing npm Credentials

A hacker gains access to a developer’s npm account and injects malicious code into a popular JavaScript library called eslint-scope, a sub-module of the more famous ESLint, a JavaScript code analysis toolkit.

Homebrew Repository Compromised

A GitHub API token leaked from Homebrew’s Jenkins provided a security researcher with access to core Homebrew software repos.

“If I were a malicious actor, I could have made a small, likely unnoticed change to the openssl formulae, placing a backdoor on any machine that installed it,” researcher Eric Holmes explained.

password_theft
https://www.sonatype.com/hubfs/SSC_Attacks_Illos/icon_code_bomb@2x.png

June 2018

Linux Distro Hacked on GitHub

Unknown individuals gain control of the Github Gentoo organization and modified the content of repositories as well as pages within — all code considered compromised.

https://www.sonatype.com/hubfs/SSC_Attacks_Illos/icon_back_door@2x-2.png

May 2018

Backdoored npm Package Discovered

npm security team responds to reports the getcookies package, which contained malicious code that allowed remote users to execute arbitrary code on servers. The investigation also revealed that an existing package called mailparser began listing http-fetch-cookies as a dependency. Despite being deprecated, mailparser still receives about 64,000 weekly downloads.

Backdoored PyPI Package Discovered

Python module ssh-decorator backdoored to collect users' SSH credentials and sent the data to a remote server.

Code_Door-Thief
https://www.sonatype.com/hubfs/SSC_Attacks_Illos/icon_hacker@2x-1.png

February 2018

Deleted GitHub Account Resurrected by Unknown User

After a developer deleted their go-bindata GitHub account, someone immediately grabbed the ID — inheriting the karma instilled in that ID and calling into question packages and sources.

npm Credentials Intentionally Compromised

A malicious version of a package from a core contributor to the conventional-changelog ecosystem is published. The package was installed 28,000 times in 35 hours and executed a Monero crypto miner.

https://www.sonatype.com/hubfs/SSC_Attacks_Illos/icon_skimming@2x.png

January 2018

“I’m harvesting credit card numbers and passwords from your site. Here’s how.”

David Gilbertson writes a fictional tale on his blog about creating a malicious npm package.

https://www.sonatype.com/hubfs/SSC_Attacks_Illos/icon_keyboard@2x.png

September 2017

PyPI Typosquat

10 malicious Python packages found with misspelled names intentionally chosen to trick users. Evidence of the fake packages being incorporated into software was noted multiple times between June and Sept 2017.

July 2017

npm Credentials Published Online

Affects access to 14% of the npm repo (79K packages). As a result, npm reset the passwords and auth tokens of over 1,000 developers.

Typosquatting Attack on npm

39 packages harvested undetected over two weeks, collecting credentials used to publish to the npm repository itself.

17 Backdoored Images Created on Docker Hub

Username docker123321 uploads backdoored container images used to install reverse shells and cryptocurrency miners on users' servers. Images not removed until June 2018. The same username is later accused of poisoning a Kubernetes honeypot (Jan. 2018) and equated to a crypto-mining botnet (May 2018).

Password_Thief

Additional Resources

icon_circle_whitepapers@2x

2021 State of the Software
Supply Chain Report

Sonatype’s report blends a broad set of data to reveal important findings about open source and its increasingly important role in digital innovation.

demandbase_icon_circle_Intel@2x

What is Nexus Intelligence?

See how artificial intelligence and machine learning that never stops learning, plus 65 world class professionals with 500+ years of experience lead to the best data in the industry. 

Scanner Icon

Are Your Applications Secure?

Are you at risk of a software supply chain hack? Try Nexus Vulnerability Scanner for FREE to find out if your software has any open source security vulnerabilities.

Ready to Try Sonatype?

Secure and automate your software supply chain.